October is Cybersecurity Awareness Month, and this year’s theme is See Yourself in Cyber, which focuses on the individual’s role in cybersecurity. While cybersecurity can feel complex and inaccessible to the average person, the reality is that everyone has a role to play in security, from executives to the IT team to end users. This month, the JumpCloud blog will focus on helping you empower everyone in your organization to do their part regarding cybersecurity. Tune in throughout the month for more cybersecurity content written specifically for IT professionals and MSPs.
Shadow IT is unknown or unapproved IT initiated by non-IT employees or departments. It’s nothing new — workers have been finding new IT shortcuts and solutions since computers became part of the workplace.
However, the shift to remote work has popularized unsupervised work environments and cloud tools. As these cloud tools become easier to use and workers become more tech-savvy, shadow IT is becoming a bigger problem.
While shadow IT is usually an employee or department’s attempt to work more efficiently, it can negatively affect an organization. Most notably, it creates considerable risk that can be hard to mitigate.
To help IT teams understand and combat shadow IT, this article will explore shadow IT, including common use cases, effects, prevention methods, and ways to identify it in your organization.
What Is Shadow IT?
Shadow IT is software or hardware that circumvents established IT practices and services. Usually, it is the result of employees or teams creating workarounds or using alternative solutions to improve their efficiency, productivity, or experience.
Common Instances of Shadow IT
- Applications: According to Productiv, 42% of the average company’s applications are the result of shadow IT. That was about 78 applications out of the average 187 per company in Productiv’s customer base. Employees may use software or applications they prefer to either replace work-assigned ones or fill a gap in tool functionality.
- Accounts: Employees may create new accounts to complete their work rather than have one assigned. For example, if they don’t have an assigned account for a corporate resource, they may create their own without consulting their department head or IT team.
- Devices: Using personal devices for work without following bring-your-own-device (BYOD) guidelines or receiving approval is a form of shadow IT. Learn more about BYOD security to establish a reliable BYOD policy.
- Integrations and configurations: Manipulating services in ways IT hasn’t prescribed can be a form of shadow IT, like non-native or unapproved integrations. Such integrations can facilitate data sharing that goes against security or compliance guidelines. Custom configurations that fall outside of IT’s scope and guidelines can be another form of shadow IT and can undermine prescribed security settings.
The Effects of Shadow IT
While shadow IT isn’t usually nefarious, it circumvents IT’s visibility and approval process. This can decrease control and consistency while also incurring costs. Above all, it creates significant security risks that can be difficult to mitigate.
Lack of Control
IT teams can’t optimize, secure, or fix tools they don’t know about. Shadow IT bypasses IT’s oversight and ability to prescribe best practices. This opens the door to varied and unsupervised use cases. Employees using unofficial tools en masse create vulnerabilities IT can’t foresee or guard against.
Further, when problems with shadow IT arise, they’re harder to fix. Because IT never optimized the tools or integrated them into the central tech stack, they have limited control over troubleshooting and fixing issues.
Shadow IT increases the number and variety of tools and processes in an organization. This often leads to:
- Disparate internal groups making IT decisions based on different drivers, like time to project completion, cost, and ease of use.
- Employees or departments using different tools to accomplish the same tasks.
- Tool incompatibility, precluding the ability to integrate or share work.
- A lack of consistent policies, which makes activity hard to track and manage.
- Failure to log or track activity within the tool, making troubleshooting difficult.
While shadow IT is usually intended to support productivity, these inconsistencies often end up damaging the organization’s productivity in the long run.
Sometimes, shadow IT is approved by department heads who circumvent IT (often without the department realizing they’re routing around IT). In these cases, the department may pay for the shadow IT resource. When several departments end up paying for shadow IT resources, the costs compound. Further, people often use shadow resources instead of company-provided ones, allowing the organization-funded licenses or subscriptions to go unused.
In addition to the face-value costs of the tools themselves, shadow IT eliminates the opportunity for the IT department to centralize purchases or leverage existing relationships and software. By contrast, when users and departments consult with IT on their needs, IT can often find cost-efficient ways to serve varying needs with fewer tools.
Shadow IT Security Risks
The most dangerous effect of shadow IT is the enormous amount of risk it generates.
Lack of Security Vetting
Non-IT employees are often focused on user experience when evaluating tools; they don’t typically vet tools for security. They may not even be aware of the security standards against which the organization vets resources. Without proper vetting, employees can bring in tools that are not up to the organization’s security standards, or they use those tools in ways that introduce vulnerabilities.
Just as employees don’t thoroughly vet resources for security on their own, they also don’t typically do so for compliance. This means that shadow resources themselves can be noncompliant, or the way they’re used can create compliance issues.
Lack of Visibility
One of the IT department’s core objectives should be to keep the infrastructure secure, but IT’s lack of visibility into shadow IT prevents them from securing the infrastructure as a whole. With shadow IT in play, IT can only assess and secure part of the organization’s infrastructure — and securing part of the infrastructure is about as effective as securing none of the infrastructure. One vulnerability — like a shadow IT resource — can act as a gateway to the infrastructure as a whole.
Integration with the Central Infrastructure
In some cases, an employee with a little IT knowledge, or a tool that easily integrates with others, can facilitate integration with the central infrastructure. This creates new security vulnerabilities by allowing an unapproved tool to access the organization’s data and resources.
Sharing Corporate Data
Employees often input corporate data into shadow resources. This data can range from information on projects in production and other employees’ information to financial figures. The lack of visibility and tracking capabilities leaves these resources unattended and unprotected, making them a perfect target for bad actors.
When employees create accounts with shadow IT resources, they’re doing so independently from the central IT infrastructure — and, therefore, separately from their assigned central identity.
Often, users use their corporate credentials when creating accounts with shadow IT resources. This makes their corporate credentials an easy target for hackers, who can use them to access corporate systems.
Because these shadow accounts aren’t connected to the corporate infrastructure, IT can’t track them, secure them, or revoke their access. If security vulnerabilities are uncovered in services some employees are using unofficially, IT has no way to revoke their access or secure those accounts.
Inability to Revoke Access
The inability to revoke access is a serious vulnerability that can follow an organization long after the account owner has left it. Organizations need the ability to offboard employees completely and trust that they haven’t accidentally forgotten any accounts.
However, IT can’t do this with shadow resources in play. Shadow IT undermines effective offboarding, allowing former employees to retain access to company information — and allowing those services to retain company information — indefinitely.
How to Prevent Shadow IT
Because shadow IT decentralizes IT environments and creates inconsistencies, it’s much easier to tackle at the outset than retroactively. The following are some of the most effective shadow IT prevention methods.
Communicate with the Organization
Often, people engage in shadow IT without realizing that it’s prohibited or dangerous; they think they’ve found a better way to do their job (sometimes, they have).
Two-way communication between IT and employees is important: employees should understand what shadow IT is and why it’s not permitted; likewise, IT should keep a pulse on what’s working for users and what isn’t.
Sometimes, learning what users need or why they’re tempted to create a workaround can help IT develop a better technology environment. Encourage open communication with IT so users feel they can ask for help rather than turn to shadow IT.
Communication pathways for users should be clear: if they feel their technology isn’t meeting their needs, who should they talk to? Who can approve new applications they want or fix frustrating IT elements that tempt a workaround? Make the process of creating an IT request easy, and make sure all employees understand how to create one. A complicated or confusing process can be enough to drive employees to give up on the request and solve the problem themselves.
In addition, make sure the IT representative or team you appoint to handle these requests gives them sufficient time and attention. Answers should be timely, even if they’re a compromise or a “no.” Employees will avoid making help desk requests if they feel they’ll be ignored or take too long to get a response.
Create User-Friendly Environments
Users turn to shadow IT when their environment isn’t serving them. To prevent shadow IT, prioritize employees’ experience with their technology.
Some of the top elements of user-friendliness include:
- Provide easy access to the resources employees need, regardless of whether they’re remote, on the go, or in the office. Easy and reliable resource access is best achieved through a centralized directory that connects users to all the resources they need under one source of truth.
- Stick with the operating systems employees are comfortable with. Mobile device management (MDM) tools that facilitate BYOD or are platform-agnostic allow employees to work with the platforms they’re comfortable with.
- Prioritize UX with user-friendly tools. For the less user-friendly tools you have to have, include sufficient employee training.
- Facilitate agility by providing compatible integrations. Get tools to work together rather than forcing employees to work in tech silos. A robust open cloud directory platform like JumpCloud can connect users to virtually all of the resources they need to do their work.
- Streamline user account management. The average user logs onto over 170 websites with fewer than 20 passwords. Avoid password fatigue and deliver a better employee experience with single sign-on (SSO), which requires employees to remember just one username/password combination while securing account access with protocols like SAML and SCIM.
Identify Shadow IT in Your Organization
The first step to combating shadow IT is to identify where it already exists in your organization. This will not only help you guard against it, but it can indicate where your organization could improve its processes, technology, or employee experience.
Employee surveys are a great place to start identifying shadow IT and improving your technology to maintain organizational alignment with best practices. We’ve put together some employee survey questions designed to pinpoint what’s working, what isn’t, and where your technology needs improvement. Read on for the 15 survey questions you should be asking your employees.