5 ways to deal with shadow IT

  • Shadow IT services are any software, device, or service not officially sanctioned or managed by internal technology authorities.

  • Most shadow IT is introduced to solve problems, rather than provoke mayhem.

  • In the interest of innovation, shadow IT can be embraced and managed rather than banned outright.

Like clutter on a desk or Cheerios in the back seat of a family car, shadow IT piles up when no one is looking. Shadow IT is the murky world of third-party applications and services that find their way into your workplace without approval or oversight.

Recent years have seen dramatic growth in shadow IT, from early handheld devices and mobile phones to pioneering cloud services, not to mention all manners of portable storage. For years, a popular recommendation in IT and security literature was a zero-tolerance policy, designed to seek out and prohibit any and all unauthorized technology.

IT leaders should consider instead a sunshine policy meant to invite discussion and disclosure of shadow IT services without overly stigmatizing them. After all, mandating that all technology receive an IT department blessing means that the business can only innovate at the pace of departmental politics and procedures. That kind of restriction puts a serious clamp on growth.

Consider these 5 do’s and don’ts as you grapple with the genuine challenges (and opportunities) of shadow IT:

1. Don’t treat the individuals who introduced shadow IT services too harshly unless they have created an immediate risk or have violated other basic principles. Workers who turn to shadow IT products typically do so to solve a problem in the most expedient and effective way. Treating someone who is only trying to succeed and blaze new trails as though they have stolen the crown jewels is more likely to create resentment than to set a good example for the future.

2. Do work with shadow IT users to find a quick way to either retire their use of the outside system, or bring that system into compliance with internal IT policies. Sometimes this is just a question of educating the right users about resources already available to them inside the firewall. Few employees are fully trained and aware of the entire scope of tools and platforms available in even a modest-sized organization.

3. Do provide security awareness training on at least an annual basis. Training should include an overview of shadow IT policies, as well as a refresher on avoiding social media exploits and phishing attacks. This action alone will put you ahead of half of the corporate world.

4. Don’t underplay the genuine risk of shadow IT. Once sensitive data is turned over to a third-party system, such as a cloud-based file storage service, it is only as secure as that vendor’s protection – and the liabilities introduced by their technology partners. This risk-multiplier effect can expose large amounts of data to sophisticated attackers who leave no stone unturned when looking for a point of entry.

5. Do address the root causes that drive your colleagues into the arms of shadow IT providers. If users are unaware of IT procurement policies or find it too cumbersome or unwelcoming to even open a request, find ways to be more accessible and transparent. If users are starting requests but then finding ways to circumvent IT because the procurement cycle takes too long, look for ways to drive inefficiencies and delays out of the process.

As you rethink your approach to dealing with shadow IT, don’t go it alone. Learn more about the breadth of network security products and services available from AT&T.

Jason Compton is an internationally published writer and reporter with extensive experience in enterprise technologies, including marketing, sales, service, and collaboration. All opinions are his own. AT&T has sponsored this blog post.

Jason Compton Writer About Jason