Shadow IT: A hidden threat?

Shadow IT is a term for a decades-old issue that started, occurring when computer technology was becoming inexpensive, available and easy enough to use that departments and individuals didn’t have to go through IT. An example of this would be employees using their home desktop computers, travel notebooks, and mobile devices for work-related activities.

Today, this problem has only gotten worse. Workers use consumer apps and services for messaging, email, file-sharing and remote access. Some employees are even doing “BuildYOA”—according to the third Annual Mobile Business Application survey from Canvas,¹ a provider of cloud-based software services, 400 decision-makers from a range of companies said that:

• 61 percent of businesses created a new mobile app in 2015 without any IT involvement
• 20 percent of the businesses that developed apps without IT support built 10 or more apps
• 81 percent of businesses are somewhat or very comfortable building mobile apps without the IT team’s help
• 76 percent of those surveyed were able to create a cloud-based app in one day or less.

That can add up to a lot of IT hardware, software, services and activity that isn’t under the control of, or even known about, by the IT department. That can be a problem.

Shadow IT activities are understandably tempting approaches for employees. For someone who has been using these unapproved apps on their phone or tablet for years, it may not even occur to them that it might be problematic.

Unfortunately, while convenient for employees, shadow IT can be bad for the company. Data is key to nearly every aspect of your company’s activities. Part of IT’s responsibility is to ensure that data is kept secure from unauthorized access: being misused, changed, deleted, or stolen.

Here’s a quick look at some of the problems that shadow IT can create:

• Regulatory fines: The mere act (or even capability) of viewing or sending sensitive data in an unauthorized way can result in government or industry fines, along with negative publicity. Examples: financial services advisors texting buy/sell advice from their personal phone, or a healthcare professional sending a patient’s personal medical health information through a personal email account.
• Data losses and breaches: Not only can shadow IT open your network up to vulnerabilities and threats, it can store your data in unprotected areas outside of your company, making the risk of a data breach significantly more likely.
• Virus, malware and other threats: Unauthorized devices and accounts may not have the appropriate level of protection, opening up the company to data losses and network breaches. Rule breakers of corporate BYOD plans often expose the network to increased risk by providing a point of entry for hackers and other malicious threats. They also can create a drain on resources that can significantly slow the entire network.
• Added IT costs: While the costs for extra copies of software and related IT support quickly adds up, the cost of unlicensed software can be even more significant. While shadow IT often takes the form of freemium software, these programs aren’t always licensed for commercial use, which can open your company to potential legal action.

It’s essential that companies not only be aware shadow IT is happening, but also identify where it’s happening and what steps to take to address the problem.