The phrase “Shadow IT” refers to products and services used by employees without the knowledge or approval of the IT department.
Shadow IT is everywhere: it can be found in just about any department of any organization. When Frost & Sullivan surveyed line of business (LOB) and IT managers, they found that 80% of respondents admitted using non-approved SaaS applications for their work. Moreover, the survey found:
Non-approved applications represent a sizable proportion of all SaaS apps used in a company. According to respondents, the average company utilizes around 20 SaaS applications; of these, more than 7 are non-approved. That means you can expect that upwards of 35 percent of all SaaS apps in your company are purchased and used without oversight.
Popular categories of shadow IT applications include business productivity, social media, file sharing, storage, and backup, according to the survey.
Why are employees using shadow IT? Frost & Sullivan found that these employees just want to get their jobs done. Many shadow IT users felt that the applications they selected met their needs better than those selected by the IT department. In some cases, the employees were already familiar with the applications they selected, and they felt further swayed when the applications were free. In many organizations, there was confusion about who had the authority to select an application: was it the department or IT? Lacking clear guidance from management, employees decided to act for themselves.
If this ad hoc provisioning seems to be meeting employees’ needs, why not just let it continue? Unfortunately, enterprises must stop shadow IT, because it creates enormous security risks and can lead to data breaches and regulatory fines.
How can an enterprise—especially an enterprise in a highly regulated industry such as financial services or healthcare—possibly keep track of all its confidential files if employees are posting files to an ad hoc collection of unmonitored public-cloud file sharing services? How can the finance department of any public company claim it is complying with Sarbanes-Oxley requirements for managing the distribution of financial data, if it has no idea how its files are being distributed?
Files leaked through shadow IT can make the shadow itself especially long, dark, and gloomy, once data breaches are publicized and regulatory penalties accrue.
Enterprises need to take action.
First, they should establish clear policies about who can select which type of application. If IT is in charge, this should be made clear. If departments have leeway to select certain types of applications, that, too, should be made clear. Next, enterprises should educate employees about the risks of public-cloud services that might leak files or admit malware to the network.
Finally, enterprises should select and provision SaaS services that are as powerful and easy-to-use as those being used in shadow IT. Employees are turning to applications to get their work done. Enterprises would be wise to select applications and services that let their employees do just that.