Proliferation and mitigation of Shadow IT

Shadow IT is the use of unsanctioned systems and technology:

• Individual employees or departments typically adopt it to meet a specific need.

• It is introduced to enhance productivity or to resolve immediate problems and challenges but gradually becomes embedded into the business.

• The deployment bypasses a formal IT procurement and approval process.

• Often, it becomes part of a business-critical process without awareness within the IT or Information Security departments.

• Documentation is not always readily available, if it exists at all.

The proliferation of Shadow IT introduces many risks:

• Information security is a significant concern with Shadow IT as unapproved software and services may not adhere to the implemented security standards and leave data vulnerable to cyber-attacks.

• Shadow IT can result in non-compliance with industry regulations and legal requirements, leading to fines and reputational damage. Uncontrolled IT systems could, for example, bypass data retention policies.

• The IT and Information Security departments lose visibility and control over technology, and that can disrupt troubleshooting, security monitoring, and ongoing maintenance.

• Unsanctioned IT solutions can lead to unexpected expenses such as:
  • Needing to find specialised skills because of staff turnover
  • Replacing the system with an approved alternative
  • Integrating processes into existing solutions

• When employees use unapproved software tools, it can lead to:
  • Information stored in multiple locations without managed data backups
  • Data fragmentation or data loss, and consequently, the use of incorrect versions of data or incomplete data sets to make decisions.

Countermeasures for addressing Shadow IT include:

• Raise awareness throughout the business about the risks to ensure employees understand the importance of IT policies and procedures.

• Develop and communicate clear IT policies and guidelines for requesting new software solutions.

• Implement IT governance that involves key stakeholders in the decision-making process for IT purchases.

• Maintain an inventory and assess the IT environment to identify unauthorised software or services.

• Work closely with business units to understand their needs and make it easier for employees to use approved alternatives that fulfil their requirements.

• Encourage open communication between IT and other departments to understand their needs and challenges.

• Implement robust security measures to mitigate Shadow IT risks.

• Provide training and support for employees in using approved IT solutions to reduce the motivation to seek or develop unauthorised alternatives.