Shadow IT is a well-known and long-standing organizational issue that has never really been solved. The problem is that it is a boon as well as a threat; and an uneasy balance exists between the two aspects. But with increasing use and familiarity with the cloud and its opportunities, the threat is growing. The threat needs to be tackled, but without destroying the benefit.
Shadow IT is defined by Entrust Datacard as “Any information technology or practice within an organization that is not approved by an organization’s IT department.” The motive, it says, is employees’ desire to find and use anything that makes their work easier and improves their output — and they are often better at finding these tools than is the company itself. That is the benefit of Shadow IT.
The threat comes from the security team’s inability to defend what it doesn’t know about. In 2016, Gartner predicted that by 2020, one-third of successful attacks experienced by enterprises will be on their shadow IT resources. It recommended the development of a “culture of acceptance and protection versus detection and punishment.”
Entrust Datacard surveyed 1,000 IT professionals about their experience with shadow IT. Thirty-eight percent are employed in organizations with 1,001 to 5,000 employees, 20% in firms with 5,001 to 10,000 employees, and 41% in firms with more than 10,000 employees. The purpose of the survey was to find the current balance between boon and threat, and to examine the evolution of ‘acceptance and protection’.
The benefits of shadow IT are clearly understood. Where allowed to use their preferred technologies, 97% of respondents believe employees are more productive, 96% believe staff are more engaged with the company, and 93% believe they are more loyal to the company long-term. Shadow IT is likely to improve productivity and reduce staff churn.
But the respondents believe that organizations are still missing a trick. More than three-quarters of them believe their organizations could achieve a competitive edge if company leaders were more collaborative about finding solutions to shadow IT needs from both IT and non-IT employees.
Belief in the advantages of shadow IT clearly outweigh their view of the security threats. A much lower number (54%) accept that it might introduce security risks to the company — but at the same time, 89% believe that allowing shadow IT makes employees more likely to adhere to IT security requirements.
Despite this strong belief in the business benefit of shadow IT, the survey (PDF) also found that organizations have not implemented a seamless process for allowing staff to recommend new technology. Only 12% of IT departments follow up on all suggestions. Forty-four percent of respondents say this follow-up occurs less than 50% of the time, and an equal number say it occurs more than 50% of the time (but not all the time). At the same time, 46% say that slow approval processes can lead to internal tension.
There is a clear belief that organizations have not solved the staff issues around shadow IT. Eighty percent believe their companies need to be more agile when it comes to deploying technologies suggested by employees. The ‘acceptance’ recommendation put forward by Gartner does not seem to have been adopted. This doesn’t mean that organizations are closed off to the issue — 80% of the respondents say they feel comfortable about speaking up on the issue. But there is a clear belief that organizations are not adequately following up on those discussions; and 77% of the respondents believe that the issue will get worse by 2025 if left unchecked.
For now, many organizations still seem to rely on the Gartner-discouraged ‘detection and punishment’ approach to shadow IT. Forty percent of the respondents said the common response to two shadow IT offenses is termination. The challenge for business, then, is little changed from that of 2016: to improve protection against the threat of shadow IT to better enable acceptance of it, and all the benefits it brings.
Entrust recommends three technology approaches to improve the security of shadow IT: cloud access security broker (CASB), encryption, and improved identity and access management. A zero-trust approach could also be implemented to limit the potential for sensitive data leaking to unacceptable locations. CASBs generally maintain their own databases of cloud app security postures, so apart from providing additional security on the use of shadow IT, they can help the business choose between acceptable and unacceptable third-party apps.
With greater confidence in the ability to mitigate the security threat from these employee-instigated technologies, business can move towards greater acceptance of their employees’ choices — towards Gartner’s recommendation of acceptance and protection. In effect, it solves the problem of shadow IT by finding methodologies to include staff preferences so that it is no longer ‘shadow’ IT. From that position, organizations can enjoy all the benefits of employee app choice and use, without being stymied by the security threat of uncontrolled shadow IT.
Related: Three Ways to Combat Shadow IT 2.0