Shadow IT is an occurrence when employees circumvent organizational controls and policies by utilizing unsanctioned IT resources outside of the regulation of company IT. This is frequently referred to as Bring Your Own Cloud (BYOC), and is sometimes referred to as Rogue IT. A common example is when a user stores company documents on a publicly-available file sync and share service, such as Dropbox. As organizations become increasingly mobile, the incidence of shadow IT behavior is most certainly intensifying.
There are a myriad of valid and legitimate reasons which explain the rapid emergence of shadow IT.
It’s convenient. With a quick visit to the app store, users can give themselves access to company information on nearly any mobile device, and more importantly, from any location. The availability and practicality of cloud and SaaS (Software as a Service) applications has never been higher than it is today
Employees just want to do their jobs. There’s nothing underhanded or malicious about shadow IT, users simply want to use the applications they’re familiar with in order to perform their jobs more efficiently and effectively.
Everybody does it. A recent report sponsored by McAfee reveals that 83% of surveyed business and IT workers admit to using non-approved cloud and SaaS applications for work purposes. Many users view the widespread acceptance of these applications as justification for their own involvement.
Unclear or unaware of policies. Many employees may be unaware that a cloud or SaaS policy even exists within their organization. With technology evolving so rapidly, it is imperative that IT departments continually review and revise policies to account for emerging technologies.
There are limited options. When sanctioned and approved tools and applications aren’t equipped to perform needed functions, users look to the cloud.
There’s also a dark side of shadow IT and it is often unintentional. Unforeseen catastrophes can occur when sensitive company information leaks due to carelessness at the end-user level, or worse, at the provider level. The risks associated with cloud and SaaS application use are no different than email mishaps, however, so user education and self-cognizance are the most effective methods of risk prevention.
A successful IT department must establish a policy which aligns with business objectives. In order to out-maneuver competitors by being agile, innovative, and responsive, employees must have the freedom to find creative solutions to business problems using any tools necessary. That demands a broad policy rather than a restrictive one. There is a fine line between security and accessibility which is why IT departments must determine the appropriate balance and oversight of cloud and SaaS services rather than implementing either a free-for-all or a shut-down policy. It is not feasible for corporate IT to regulate every single aspect of technology within an organization, but it is the IT department’s responsibility to mitigate the risk of security breaches, data loss, and exposure of confidential information.
Harnessing the delicate balance between security and convenience is essential. Rather than restricting usage, the goal should be to expand the software tools available to employees which allows workers to do their jobs better, without compromising security and liability.