What is Shadow IT - And How You Can Control It

By Holly Dowden | February 27, 2018

Some of you may remember when IT departments had the ability to fully control almost all technology decisions, and who was allowed to use what application or service.

And then came the cloud, with free or low-cost apps and services from an endless number of SaaS (Software as a Service) providers.

Fueling the fire even further was the proliferation of employee-owned mobile devices, where the employee became used to completely controlling both hardware and software.

Users were quickly discovering it was a lot faster and easier to download their own applications and services, as opposed to waiting for their IT department to source, implement and approve the latest and greatest.

In fact, 80% of workers admit to using unsanctioned applications at work without IT approval (Source: McAfee).

What is Shadow IT?

Shadow IT is the use of IT-related hardware or software by a department or individual without the knowledge of the IT or security group within the organization

Many will argue that complex IT policies and outdated software that don’t meet departmental needs drive users to go find their own solutions.

Whatever the reason, shadow IT poses a real cyber security risk in the business world.

Each unsanctioned device or application removes an important layer of the “security blanket” and increases the risk of compromise. This is even more important in highly regulated industries.

Your natural instinct might be to clamp down completely on shadow IT, but remember that in part, it’s often a symptom of unmet needs.

Instead of completely blocking employees from using cloud apps, it makes sense to do an audit first to find out who is using what and why. You’ll likely find duplicated technologies, cyber security risks, inefficiencies and an overall loss of a strategic IT roadmap.

At the same time, the very items you find may actually help you get back on track for creating a better IT roadmap that meets the needs of your users!

How to Manage Shadow IT

Companies can successfully control shadow IT with the right employee education and tools. Note that this is highly dependent on the industry you work in – there are some verticals where no unsanctioned apps will be tolerated.

In some cases, shadow IT might be permitted for things like personal productivity tools, but not for mission-critical applications or services.

Employees seeking alternatives to these would need to consult with their IT department (or IT service provider partner) to see whether or not the new solution can be implemented.

6 Tips To Help You Manage Shadow IT:

  • Reduce evaluation times for new technology requests
  • Embrace the cloud – this can speed up implementation time and reduce costs
  • Stay ahead of the latest tech developments to better understand what employees want
  • Create a partnership with business units outside of the IT department
  • Create and get agreement on the right shadow IT policy for your company
  • Reinforce what will NOT be tolerated

Shadow IT Policy

You can establish the ground rules for shadow IT in your company with this ready-made policy from Tech Pro Research.  This policy provides guidance on when shadow IT can be permissible, outlines restrictions that could apply, and defines employee and IT department responsibilities.

While it might not be the perfect fit for every organization, it’s a great template for you to use to make your own custom policy – or contact us and we’ll be happy to help you figure out the best way to manage shadow IT in your specific situation.


 Get the Policy


Tags: Cybersecurity, Managed IT