Lurking in the 'Shadow IT'
Updated: Jun 6, 2022
Shadow IT has become increasingly more of a threat to organizations, especially as we adopt more cloud solutions and access with remote devices.
What is Shadow IT? It is the deployment of cloud solutions, software-as-a-service (SaaS) and devices by employees and departments, without the knowledge of the IT department or service provider. Basically, they are considered unsanctioned services and devices.
For example, the marketing department decides to deploy a new cloud service that may store or accesses sensitive customer data. While it may appear safe, there are a multitude of issues to consider. Such as key cybersecurity or compliance requirements.
There are several reasons that employees may decide to take it upon themselves and deploy Shadow IT. They may be frustrated with the current solution and experience recurring issues such as slowness, inability to access remotely, or constant errors. They may favor a particular solution over the one the company owns. The company’s solution may not have all the features they need. Or, they may not have experience in using the current solution and prefer one where they are more skilled and productive.
Regardless of the motive behind Shadow IT, it can lead to a number of costs and problems for a business. This includes potential costs for security breaches and stolen data, fines for compliance incidents and reputational costs. Additional costs will include paying for redundant solutions while creating productivity and integration issues overall for the company.
In this blog we’ll discuss some of the trends and financial costs of Shadow IT, plus how you can develop a sound policy and framework for supporting Shadow IT.
Shadow IT trends
Some recent research and trends highlight the financial and security implications of Shadow IT.
For instance, this research report found Shadow IT has exploded by 59% due to Covid-19, with 54% of IT teams considering themselves ‘significantly more at risk’ of a data breach. Another recent study published by Forbes Insights and IBM notes that 21% of organizations experienced cyber events due to unsanctioned Shadow IT resources.
Shadow IT started trending even more during COVID. Companies scrambled to enable work-from-home cloud and SaaS solutions. Cloud SaaS solutions became attractive targets, representing 45% of incidents according to IBM’s research on Shadow IT. IBM concluded that cyber-criminals exploited configuration errors and known vulnerabilities within apps, many of which were undetected due to employees using unsanctioned solutions and services.
The cost of Shadow IT
Shadow IT is particularly vulnerable to an increase in costs associated with security incidents and operational processes.
Security costs come in the form of recovery from data breaches and fines for regulatory non-compliance matters.
Data breach incidents: When heads of business units make decisions on deploying cloud solutions, they by-pass the IT department/provider and the due diligence to ensure a solution meets certain security requirements, such as multi-factor authentication (MFA). These Shadow apps are also inherently less secure because they haven’t been integrated into the organization’s security workflows, thereby increasing the risk of breach.
Fines and Penalties: Many organizations today must comply with specific IT security requirements to stay compliant and to avoid fines or penalties. For example, health care organizations must encrypt personal-health-information (PHI) or risk being fined if discovered.
Additional costs may come in the form of non-payout from a cyber-insurance provider with specific IT security stipulations in the contract. The Forbes Insight study mentioned above confirms this: 56% who suffered a cost due to a security incident with their SaaS app were not compensated by their insurance providers.
Operational costs represent real dollar expenses plus productivity costs. Both are inherent in Shadow IT.
Over subscribing licenses: Shadow IT can undermine the efforts of the organization to control and centralize IT costs. Typically, a company will subscribe to a specific number of licenses for users of their corporate solution. But if Shadow IT is being used, instead of the corporate solution, then these paid-for licenses go un-used and under-utilized resulting in wasted IT costs.
Discount opportunities: When procuring cloud software, the pricing is most always discounted based on the number of users being subscribed; the more licenses being subscribed, the lower the cost per user. Shadow IT undermines this centralized procurement practice which may result in a higher cost for the company’s cloud solution.
Failed integration with business: Today’s cloud solutions often provide support for specific integrations to other line-of-business solutions, such as your order entry software. When procured centrally, there will be more thought and consideration into these integrations. When done by the department they are likely to focus only on their own business needs versus the overall needs of the company.
Business alignment and collaboration costs: Shadow IT can hamper productivity if internal teams are using different tools for collaboration. File share solutions are a good example; one department is using DropBox while another may be using OneDrive.
Embracing Shadow IT
Shadow IT is typically the result of well-intended employees trying to do their job and searching for a better solution than what they have. They want something that is faster, or has specific features. Sometimes, Shadow IT is the result of the IT department/provider not being responsive to their needs.
A more effective approach is to embrace Shadow IT and understand the cause for adoption. This will lead to making better decisions about these Shadow IT solutions and how to better incorporate into the cybersecurity framework, company culture and user experience.
Microsoft recommends this Shadow IT Discovery Lifecycle model which provides a structure for how to go about better embracing Shadow IT and a process for analyzing and adopting.
* * * * *
If you need help reigning in Shadow IT, RIATA can help by identifying and organizing these Shadow IT resources. We’ll help you analyze and provide a security framework that will mitigate the cost and associated issues we discussed in this blog.
About the Author: Tommy Wald is CEO of RIATA Technologies, a full-service IT provider located in Austin, TX. He can be reached at TWald@RiataTechnologies.com.