Shadow IT (sometimes known as “stealth IT”) is the array of systems, services, and devices that employees use for business purposes without the approval or knowledge of their organization’s IT department. Common culprits include the unsanctioned use of personal collaboration applications and cloud-based storage solutions, as well as personal devices and systems.
Many workers are guilty of shadow IT practices without even realizing there’s a problem with it. In fact, there’s a good chance that plenty of people reading this article have been perpetrators at some point in their careers.
For example, plenty of teams fall into the habit of using their personal Dropbox or Slack accounts to share business files internally and externally. What may have started as a way to quickly and easily share the occasional document can quickly become a default (and dangerous) part of a department’s standard operating procedure. This kind of process is so commonplace that digital security company McAfee estimates that shadow IT cloud usage is at least 10 times greater than legitimate cloud usage.
Shadow IT isn’t just a software or cloud solution issue either. As more and more organizations have embraced remote working environments, the use of unauthorized hardware has also become increasingly common. Unsurprisingly, people want to work from the devices they have at hand and prefer to use. As a result, it’s easy to see how sensitive documents end up being downloaded to personal devices like phones and tablets, even if this goes against company policy.
What’s the harm?
Employees are using their own devices and solutions without jumping through the IT department’s hoops. So what? What’s the problem with that?
As with many security issues (both digital and physical), the implications and consequences of shadow IT activity often don’t become problematic until the moment something goes wrong.
Let’s take the common example of employees using personal cloud apps and solutions for work. Plenty of people use services like iCloud and Google Drive to share data quickly and easily with colleagues, customers, and partners.
This can fly under the IT department’s radar until that employee shares sensitive files with someone without the correct privileges, or who is outside of the organization entirely. This can be bad enough when confidential business documents are exposed to unauthorized parties. But if those backups include healthcare records or financial information, organizations can run into significant legal ramifications.
This isn’t just a theoretical issue. In 2021, Pennsylvania’s Department of Health ended a $28M contract with IT company Insight Global after employees used an “unauthorized collaboration channel” to share documents related to the state’s COVID contract-tracing scheme. The personal data of more than 70,000 Pennsylvania residents was exposed to attackers, including their contact details and elements of medical information.
Shadow IT also raises several policy issues. For example, when an employee leaves the business to work for a competitor, the IT department will usually ensure they no longer have access to sensitive files and data. But how can the business know that this worker has access to an unauthorized group Dropbox account that’s being used to share sensitive strategy documents between offices?
Working on convenience
Shadow IT is a problem that needs to be tackled. The question is how to do it.
Part of the answer is simply acknowledging that shadow IT isn’t something that’s likely to ever go away entirely. Hybrid working looks set to remain a mainstay of the corporate world, and organizations cannot control external environments.
It’s also important to acknowledge that eliminating shadow IT isn’t simply a matter of imposing more protocols and laying down stricter rules over the use of company equipment. People don’t turn to shadow IT practices because they’re trying to bend the rules or act maliciously. Rather, they do it because it’s more convenient than using the organization’s authorized IT services, or because it offers something those services cannot provide.
Clamping down on this kind of shadow IT without providing any legitimate alternatives might help with security in the short term. But without a simple and straightforward alternative to use, new restrictions will ultimately drive employees back to these same risky file sharing and collaboration practices.
A welcome alternative
Instead, one of the best ways to combat the spread of shadow IT is to provide modern and intuitive solutions that are familiar and intuitive to your workforce. Organizations must support employees’ need for quickly, easily, and securely sharing information and collaborating on business-critical documents with internal and external stakeholders.
There are several ways to begin implementing this throughout an organization. These include:
- Eliminate Information Silos: Employees need to be able to quickly and easily find documents. If this information is difficult for them to access, they’re more likely to turn to their own systems and apps for storing and sharing them.
- Introduce Easy-to-Use Solutions: Nobody likes being made to use awkward, slow, or confusing systems. If the solutions you offer are less convenient than shadow IT workarounds, don’t be surprised by low adoption rates.
- Educate and Train Employees: Even if your solutions are effective, some employees may simply be more comfortable with the unsanctioned solutions they’ve gravitated to. Offering training on your preferred systems can help to boost take-up.
- Automate Document Workflows: If employees don’t have to initiate and manage the process of sharing and storing documents themselves, they have little reason to turn to their own systems and apps. Automating manual document-centric workflows means that employees don’t have to handle documents themselves. So the need to find another tool for sharing files becomes moot.
Ultimately, shadow IT is not a problem that can be eliminated overnight, or by a single initiative. However, by working alongside employees it is possible to move towards an approach that reduces the likelihood of an information security breach, reduces the strain on IT resources, and improves employee productivity.
Ron Cameron, KnowledgeLake
Since KnowledgeLake's inception in 1999, Ron Cameron, president and co-founder, has taken great pride in creating a positive company culture where employee and customer satisfaction are the highest priority. KnowledgeLake is a cloud-native solution for document processing that enables organizations to capture, process and manage their content in a single platform. The company combines intelligent document capture and robotic process automation (RPA) to increase productivity. Two million users worldwide employ KnowledgeLake to work faster and more efficiently.