Today and for several years, the emergence of the "Shadow IT" phenomenon in an enterprise's information system is undeniable.
Shadow IT refers to the use of software solutions within an organization that have not been officially approved by the IT department. This can range from unauthorized applications and cloud services to the use of personal devices for work.
Shadow IT primarily emerges from employees' desire to enhance their productivity with simple and modern digital tools, often bypassing formal procedures in the process.
However, while it can enhance individual and collective productivity, it encompasses significant risks, often overlooked, for the organization.
But how does Shadow IT appear?
If users resort to Shadow IT, it's because they believe the existing SI doesn't provide the solution to meet their needs.
This can also be linked to efficiency: In their personal lives, users have gotten used to using applications with excellent ergonomics: On their smartphones or their software ecosystem, publishers have done significant work ensuring optimized usage.
Back at the office, these same users may be disappointed with the interfaces of the business applications and may then think about alternatives they encounter outside the company:
The use of Dropbox and Google Drive has exploded in companies while these companies have been able to invest heavily in a DMS (Centralized Document Management). But the use is often much simpler and many integrations are possible.
Why use a CRM complicated by numerous management rules when you can make a CSV export in an Excel spreadsheet and share it among the team?
Notwithstanding potential issues, users ultimately find the results they're looking for with these tools. They're often ahead of the implemented business solutions, particularly in terms of ergonomics, performance, collaboration features, and integration capabilities.
In summary:
The best tool to meet a need within a team is not among the applications "approved" by the IT department. This often pushes users to adopt an additional service that helps them meet a specific business need, gain a competitive advantage in their market, or collaborate more effectively.
Users are not aware of the security risks inherent to Shadow IT: Users may not be deliberately trying to bypass the controls set up by their IT department, but they are simply unaware that their actions could compromise the company's sensitive data and increase the risk of data breaches and attacks.
In what forms is Shadow IT found?
Shadow IT can come in different formats.
Excel spreadsheets : We often forget about them, but Excel files multiply quite quickly within a company. Some then become structuring for a team's activity and if you're a bit handy you add intelligence to them through macros or advanced formulas. In itself, this becomes an application in its own right.
SaaS applications: The SaaS ecosystem is growing every day. It is now the preferred deployment mode for publishers and this makes deployment very easy. The business teams then grab their credit card and can use a new application solution without anyone's help.
Native applications: Depending on the level of rights granted to employees, it is entirely possible to also find native applications installed on user stations, without the IT department's approval.
Applications projects without calling on the IT department: In certain organizations, perhaps in certain teams, it is common to think that certain projects should be carried out by the relevant business. This is sometimes the case for communication or marketing needs: A WordPress or Webflow site is quickly deployed and then becomes complex and requires data exchanges with other "blocks" of the information system.
BYOD: The use of personal devices is often regulated by the IT department (via an ISSP or a dedicated policy). However, it is very tempting for a user to open and exploit an application initially installed for personal use. It is difficult to establish a boundary between personal and professional use.
The Risks of Shadow IT
Despite the apparent benefits for the user (productivity, ease of use, autonomy), Shadow IT presents certain risks. The most significant is undoubtedly the one related to security. Indeed, tools used without control are not always up-to-date in terms of security and can thus represent a potential breach for the company.
Moreover, Shadow IT can also involve legal risks. The use of unauthorized software can, for example, lead to a violation of licenses, putting the company in an irregular situation.
The management and maintenance of IT systems can also be complicated by the unauthorized use of hardware and software. This can lead to an increase in costs and the complexity of operations.
Cybersecurity Risk
Since the IT department does not know them, they cannot control the security level of Shadow IT: Authentication, the security level of the application itself, or the level of sensitivity of the data cannot be assessed in a vulnerability audit or taken into account in the control of an Information System Management System (ISMS).
Compliance Violation
Organizations can unknowingly violate data compliance laws. For organizations that must comply with data protection regulations (for example, GDPR), it is imperative that they have the ability to track and control how data is processed and shared. When employees use unauthorized tools to process sensitive data, they may inadvertently expose their organization to the risk of violating these laws, which can result in heavy penalties and fines.
Data Leaks
Sensitive data can be compromised or stolen. Attackers can exploit configuration errors and vulnerabilities in cloud-hosted services, thus paving the way for data breaches and other cyberattacks. These attacks can be conducted unknown to the IT service, especially when they target unauthorized (and possibly insecure) applications and tools. And remedying these attacks can prove costly: in a study conducted in 2020, IBM estimated that data breaches caused by poor cloud configuration cost on average $4.41 million.
File sharing is a common practice which makes firms vulnerable in several ways.
Firstly, it opens the door to data exfiltration and can become very dangerous if malware performs unauthorized data transfer. Sensitive data can be captured, destroyed, disclosed, and even sold.
File sharing tools also allow users to surpass the normal limits of sending attachments. Malicious individuals could download and store huge amounts of company data. Even well-meaning business users can send document sharing links by email without realizing that the data contained in these files are therefore exposed to dangers.
Lack of Integration
In France, we talk about the Urbanization of the information system: Data exchanges and processing need to be controlled, sometimes rationalized so that the SI is built to support the company's strategy.
Shadow IT escapes the IT department who can therefore not take it into account in its application mapping or in the optimization of business processes. Applications appear incoherently,
Additional Costs
Shadow IT causes the appearance of duplicate applications in the company:
The same application may have been subscribed to several times by different teams. The costs will very often be higher than a single instance deployed for several entities.
For the same need, two different but functionally comparable applications are subscribed to. This can be the case for project tracking applications like Trello and Monday, for example.
How to Manage Shadow IT?
Managing Shadow IT is a challenge for IT departments as a too strict approach could harm productivity, while a lax approach could increase associated risks. Below are suggested strategies:
Knowledge and Understanding: It's crucial to identify the extent of Shadow IT within the company. Application mapping solutions like Kabeen are useful for this.
Shadow IT Detection: Shadow IT detection tools help IT teams to track and analyze employed systems and services, allowing them to create policies to authorize, restrict, or block certain tools.
Using a Cloud Access Security Broker (CASB): A CASB ensures the security of applications and services in the cloud using various security technologies. It often takes the form of a proxy within the company.
Education and Communication: Once Shadow IT risks are identified, they need to be clearly explained to all employees. Trainings on good IT practices could be useful.
Enhance Employee Training in Risk Management: Employees may not be aware of Shadow IT risks. Training on best practices can help alleviate this problem.
Offer Secure Alternatives: Often, employees resort to Shadow IT because the official tools don't meet their needs. By offering ergonomically-designed and secure alternatives, the IT department can mitigate this phenomenon.
Communicate with Employees about Their Tool Needs: Creating an open and blame-free discussion environment can help identify specific employee tool needs and promote a safer work environment.
Conclusion
To summarise, Shadow IT, although it can increase individual productivity, presents risks that are essential to anticipate. A balanced solution must involve a clear IT policy, good communication, and the implementation of secure and ergonomic tools that meet the needs of employees.
Ultimately, Shadow IT constitutes both a challenge and an opportunity for businesses.
It's crucial to understand that its usage is not merely a refusal to comply with internal policies, but a sign that the existing technological tools may not meet the users' needs.
Instead of outright forbidding it, it would be beneficial to channel this initiative by offering secure alternatives that comply with the company's requirements while meeting user expectations.
This demands constant user awareness, robust IT governance, and a proactive effort to identify and control Shadow IT within the organization.
