“Many IT decisions are now distributed throughout the organization at the line-of-business level. From a security point of view, it’s a nightmare scenario”
What is Shadow IT?
Shadow IT is the use of devices, applications and services that haven’t been sanctioned by the IT department. It is something that IT teams have had to contend with in various shapes and forms for many years, beginning when employees used to download files onto a floppy disk or USB drive to work from home. A modern example of Shadow IT is the adoption of cloud-based software where end users are easily able to use web-based services without the need for centralized IT to deploy and implement.
Why do employees use Shadow IT?
Most of the time, Shadow IT happens as a result of well-intentioned employees trying to do their jobs. A strategic approach would be for IT teams to understand what’s driving Shadow IT. Here are some options:
- Sanctioned work applications experience difficulties such as persistent latency, system errors or the end-user is unable to login, so they turn to an alternative solution to get the job done.
- Having to go through official channels can be time-consuming and there is always the danger that someone is going to say ‘no’, so rather than consult IT, the business unit may procure it themselves.
- End-users may just have a preferred service. The sanctioned service may not have all the needed features or the end-user may not have experience with it, so reverts to their favored solution.
Shadow IT is often an outcome of user experience issues. We are all now used to having technologies readily available to use with ease, so naturally, users want something faster. If your IT process is slow, their patience wears thin. Traditionally, IT has been perceived as a ‘blocker’ for adopting new technology, whether that be in terms of timelines or just saying no, forcing business units to operate in the shadows and not be forthcoming.
The cost of Shadow IT
Hey, at least employees are finding solutions to their technology problems, right? Not so fast. There are costs lurking in the shadows.
- Financial burden: Gartner put shadow IT spending in large enterprises around 30% to 40%, while Everest Group puts in closer to 50%. Much of this comes in the form of cloud-based software. Shadow IT cloud usage is estimated to be 10x greater than known cloud usage with worldwide end-user spending on cloud services estimated to reach $500 billion in 2022.
- Under-utilization: If Shadow IT is left unmanaged, it can be problematic for the uptake of centralized services. For example, if your product team purchases its own project management tool, it will probably mean that the centralized service is under-utilized and unnecessary licenses would have been purchased.
- Discount opportunities: If you’re responsible for organizational-wide software procurement and implementation, you’re probably in a better position to negotiate and take advantage of volume discounts. You will also want to make sure that your budget stays your budget. If software costs are being reclassified as line of business expenses, you could see your budget drop for the following year.
- Failed integration with business: Another source of cost is continuous migration, stemming from chosen apps no longer fitting their original purpose. When a business unit procures an app, it will likely be done with just the department’s needs in mind. When done via a central buying team, it is likely to form part of a wider technological roadmap, and consideration for integration, compatibility and long-term goals will factor into the purchase decision.
- Business alignment and collaboration costs: Shadow IT can hamper productivity. If different teams are using different tools for collaboration, for instance, an instant messenger, file sharing service or project management tool, it can lead to a fragmented workplace experience.
The cost of shadow IT is greater than simply purchasing or using software. Typically, an IT team would conduct technological due diligence and risk assessment to ensure that a service meets certain requirements, particularly in terms of security. When SaaS procurement is spearheaded by business units as opposed to IT leaders, this technical oversight is lost. These shadow IT apps are also inherently less secure because they haven’t been integrated into the organization’s security workflows. This can open up your organization to vulnerabilities, potentially leading the way to subsequent data breaches.
A 2019 Forbes Insights and IBM survey reports that 46% of IT leaders believe that the purchase of unsanctioned software “makes it impossible to protect all their organization’s data”. And indeed, that same survey states that more than 1 in 5 organizations have experienced a cyber event related to shadow IT.
With the expansion of remote work comes new security risks across networks, the cloud, endpoints and the edge. Cloud applications became attractive targets, representing 45% of breaches in IBM’s 2022 Cost of Breach report. A breach in the cloud results in an average cost between $3.80 to $5.02 million, depending on the cloud implementation. IBM concluded in these cases, adversaries took advantage of configuration errors and any vulnerabilities within apps, many of which were undetected due to employees using unsanctioned services.
Naturally, these security breaches have consequences. The IT department knows what programs they use comply with regulatory requirements from HIPAA, PCI, GDPR or any that pertain to your specific industry or region; not all business unit leaders who are purchasing software are aware. Nonetheless, Forbes and IBM’s report found that 60% of organizations don’t include shadow IT in their threat assessment.
Beyond breaking the trust of customers, non-compliance software usage can result in hefty fees if found in an audit. For instance, a possible fine for breaking a HIPAA regulation can be up to $50,000 per record. For a GDPR regulation, this can soar up to millions of dollars. Penalties can go beyond fines into jail time: for example, mishandling information in such a way that violates the Gramm-Leach-Bliley Act can lead up to 5 years in prison. This doesn’t include the cost of data loss and downtime. According to a report by EMC Corporation (now Dell EMC), this already cost companies over $1 trillion in 2014.
Embracing Shadow IT
The stats are looking grim — your first instinct might be to lock everything down to eradicate unauthorized applications. And it’s true that there are tools available to help you restrict employee access to certain websites and apps. This might provide you some of the solution you seek, but it’s nearly impossible to know exactly what should be blocked and what should be allowed. Too much restriction can negatively impact employee productivity and patience.
Instead, IT departments can implement Zero Trust Network Access (ZTNA) to fill in the gaps while giving users the flexibility to work with applications they like using while keeping company and employee data under lock and key. The idea here is to give IT professionals peace of mind knowing data is secure, while minimizing the employee impact.
Another solution is device management, whether this means implementing Bring Your Own Device (BYOD) policies that involve MDM, or by restricting corporate data to company-issued devices. These policies could be used in conjunction with ZTNA for extra protection.
Embracing Shadow IT means leaving less information in the dark and illuminating employee technology usage. With a look into how employees are using their devices, IT departments can implement tools that defend their corporate information while working with the user.
Find out more about Jamf's latest security offerings to help tackle the issue of Shadow IT in your organization.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.