With the rise of cloud computing, the internet of things (IoT), and bring-your-own-device (BYOD) culture — plus the latest hybrid working trends — users are increasingly taking IT matters into their own hands. But despite the best of intentions — and even some benefits of using unsanctioned technology — shadow IT has its risks, too.
Shadow IT is here to stay.
With the rise of cloud computing, the internet of things (IoT), and bring-your-own-device (BYOD) culture — plus the latest hybrid working trends — users are increasingly taking IT matters into their own hands.
Let’s say that your company uses Microsoft Teams for video conferences, but a member of the sales department needs the Zoom app to communicate with a prospect. The employee goes ahead and downloads the software from the internet without consulting the IT department. The person has good intentions, wanting to get the job done, but this practice falls under the problematic practice of shadow IT.
What Is Shadow IT?
This term refers to “IT devices, software and services outside the ownership or control of IT organizations,” as per Gartner’s definition. Shadow IT examples include attempts to:
- Install unsanctioned apps.
- Connect personal devices to the corporation’s network.
- Solve tech issues without IT guidance.
- Create a new account (for example, signing up for a website with their work email).
As a practice that brings both benefits and risks to organizations, opinions are divided when it comes to shadow IT. There will always be a degree of shadow IT as employees try to customize their use of workplace technology. But understanding the causes of shadow IT offers an opportunity for organizations to enhance digital experience and engagement.
With the right digital experience management tool, IT teams have the visibility necessary to minimize any security and performance gaps.
What Motivates Users to Resort to Unsanctioned Technology
The Covid-19 pandemic and distributed workforces have underscored a lack of IT oversight within organizations as employees connect to corporate networks remotely and take the initiative to improve their own digital experience. Users might resort to unsanctioned technology to fill a need they see in their workday. In other words, they might be trying to:
- Accelerate work processes.
- Work better with external stakeholders.
- Foster innovation by trying new tools.
- Personalize their experience with workplace technology.
- Solve IT problems more quickly.
Going through an approval process in order to use a new service or application might take time and impact productivity. It might also create resistance to finding new and better ways of working and innovating.
Slow support desk responsiveness is another driver of shadow IT. Technical issues are a common source of frustration for employees because they can cause delays and downtime.
Slow resolution impacts staff productivity and engagement, too. If users believe it will take too long to solve IT problems by submitting support tickets, they might attempt to find and use fixes on their own. Lakeside Software’s research into digital employee experience (DEX) indicates that most employees only report a tech issue to IT departments 60% of the time or less.
Higher Productivity and Innovation are Benefits of Shadow IT
Sometimes shadow IT can help foster innovation and productivity. In many cases, employees are only trying to use apps that enable them to stay productive.
97% of the surveyed IT professionals in the U.S. say that employees are more productive when allowed to use their preferred technologies, according to a survey by Entrust, an IT security company. However, Lakeside’s research indicates that only 46% of surveyed employees have all the digital tools and support needed to be productive.
Users often have good intentions by deploying their own tech solutions. Take the example of the CCleaner, a popular system cleanup software that many people download to improve the performance of their computers by removing cookies, unused files, and other simple tasks. In 2017, bad actors installed a backdoor in this utility software, allowing for the download of further malware. The CCleaner hack affected more than 2.27 million computers, highlighting the risks of downloading apps without IT authorization and control.
Employees are often unaware of company policies regarding shadow IT and lack awareness about security issues. Many companies do not have those policies themselves. Entrust found 37% of surveyed professionals say their organization lacks clarity on internal consequences for using solutions without IT approval.
Security Risks of Shadow IT
The main concern with unsanctioned technology is the lack of control and visibility into the digital environment. IT teams cannot protect devices and applications they don’t know about. This blind spot leaves organizations vulnerable to cyber threats, data breaches, system performance issues, and non-compliance with regulations.
Increased threat exposure
Shadow IT increases the attack surface because there are more devices connected to your network. In other words, there are more access points that could be exploited. A report on cyber resilience suggests that 21% of organizations had cyber incidents due to non-sanctioned IT resources. The study also reveals that 60% of organizations don’t include shadow IT in their threat assessments.
Findings from 1Password’s survey with 2,119 office workers indicate that 63.5% have created at least one account without their organization’s authorization or awareness. The survey also looked at the password habits of those who created shadow IT accounts:
- Reuse of memorable passwords: 33.2%
- Use of a pattern of similar passwords: 48.2%
- Choice of a unique password every time: 2.6%
Weak passwords leave organizations susceptible to security breaches. Compromised credentials could be used to gain access to the corporate network and sensitive information.
Storing data in multiple locations can create system inefficiencies and silos of information. If an employee is terminated, the organization might have difficulties accessing data stored in cloud-based shadow services.
In addition, rogue devices and systems can impact the performance of the network if left unchecked. For example, an incident involving system latency might be caused by unsanctioned software consuming most of the CPU usage.
Organizations are often subject to regulations about storing sensitive data, and they may face fines or lawsuits if exposing sensitive data to breaches. Shadow IT creates additional audit points to ensure regulatory compliance.
Comprehensive IT Visibility is Critical
Managing cybersecurity concerns is the top priority for 40% of the surveyed CEOs in Lakeside’s DEX research. As per the study, 31% of the surveyed IT staff cited the proliferation of shadow information technology as the main obstacle to ensuring IT provides a superior digital employee experience.
The rise of shadow IT reinforces the need to:
- Outlined shadow IT policies, which can help to empower employees.
- Digital experience management (DEM), which gives IT visibility into what employees are doing.
Role of DEM in Addressing Shadow Information Technology
Digital experience management tools — such as Lakeside’s Digital Experience Cloud, powered by SysTrack — give organizations the visibility they need to counter the security risks of shadow IT. Lakeside’s platform collects experience data through endpoint telemetry and surveys, enabling IT to monitor and measure how employees interact with workplace technology, either departmental or consumerized IT.
Digital experience monitoring can also help solve users’ pain points and minimize their need to engage in unauthorized practices. Comprehensive visibility enables organizations to:
- Understand what type of applications and devices employees use. With this data, IT can right-size resources based on employees’ needs.
- Ensure employees follow the best practices for cybersecurity and data privacy.
- Maintain regulatory compliance and system performance.
- Monitor threats, scan systems, and patch applications for vulnerabilities.
- Solve IT issues quickly thanks to automated root cause analysis (RCA).
- Take a proactive approach to IT support, fixing issues before users are impacted.