Proliferation and mitigation of Shadow IT

Shadow IT is the use of unsanctioned systems and technology:

  • Individual employees or departments typically adopt it to meet a specific need.
  • It is introduced to enhance productivity or to resolve immediate problems and challenges but gradually becomes embedded into the business.
  • The deployment bypasses a formal IT procurement and approval process.
  • Often, it becomes part of a business-critical process without awareness within the IT or Information Security departments.
  • Documentation is not always readily available, if it exists at all.

The proliferation of Shadow IT introduces many risks:

  • Information security is a significant concern with Shadow IT as unapproved software and services may not adhere to the implemented security standards and leave data vulnerable to cyber-attacks.
  • Shadow IT can result in non-compliance with industry regulations and legal requirements, leading to fines and reputational damage. Uncontrolled IT systems could, for example, bypass data retention policies.
  • The IT and Information Security departments lose visibility and control over technology, and that can disrupt troubleshooting, security monitoring, and ongoing maintenance.
  • Unsanctioned IT solutions can lead to unexpected expenses such as:
    • Needing to find specialised skills because of staff turnover
    • Replacing the system with an approved alternative
    • Integrating processes into existing solutions
  • When employees use unapproved software tools, it can lead to:
    • Information stored in multiple locations without managed data backups
    • Data fragmentation or data loss, and consequently, the use of incorrect versions of data or incomplete data sets to make decisions.

Countermeasures for addressing Shadow IT include:

  • Raise awareness throughout the business about the risks to ensure employees understand the importance of IT policies and procedures.
  • Develop and communicate clear IT policies and guidelines for requesting new software solutions.
  • Implement IT governance that involves key stakeholders in the decision-making process for IT purchases.
  • Maintain an inventory and assess the IT environment to identify unauthorised software or services.
  • Work closely with business units to understand their needs and make it easier for employees to use approved alternatives that fulfil their requirements.
  • Encourage open communication between IT and other departments to understand their needs and challenges.
  • Implement robust security measures to mitigate Shadow IT risks.
  • Provide training and support for employees in using approved IT solutions to reduce the motivation to seek or develop unauthorised alternatives.