With the smartphone and BYOD revolution firmly underway, a new problem has emerged in recent years with regards to what applications workers use within an organisation on their own and work devices. Probably the most highly publicised cases have been surrounding storage; web apps such as Dropbox are very useful for saving documents to access on any machine but don’t necessarily have the standard of security that a business would need. This is all indicative of the blurring of work and leisure and an increasing number of businesses not only allowing employees to use their own devices for work, but also allowing flexible work hours and remote working. The use of unauthorised apps and technology within an organisation is known as ‘shadow IT’ and it’s now thought to make up a quarter of IT budgets. In a survey carried out by BT, it was found that:

  • 76% of respondents reported unauthorised shadow IT in their organisation
  • 92% said that this was the impact of cloud services
  • 89% said that it’s eroding the traditional power base
  • 58% said that they’re concerned that the CIO’s role could become surplus
  • Almost 75% said that they are more concerned about security as a result of shadow IT
  So does shadow IT present a serious risk to an organisation, or are the concerns surrounding security unfounded?

Changing Roles

In the past, all of the organisational IT would have been managed by either the IT department or an IT support company. But the consumerisation of IT has taken this away in that now it’s not necessary to get the go-ahead from IT in order to use mobiles, tablets, laptops and software. When it comes to the latter, licensing has changed and it’s no longer just the domain of the tech department. The marketing department can, for example, go ahead and purchase products that make its life easier without needing approval. Workers are constantly on smartphones and social media has somehow crept its way into the organisation when nobody was looking. Employees want resources that allow them to do their jobs better and this encompasses everything from simple VoIP apps, to storage, to preferring their own device to work on. This has also meant that we’ve seen the role of the CIO come into question too and it’s thought that the title itself may become redundant in coming years. For the telecoms or support providers, this means that there exists an ideal opportunity to effectively become the CIO for client companies so that they can better access services from one supplier, who is also on hand should things go wrong. IT has changed and this means that in order to survive, organisations must also change and adapt.

The Social Intranet

guide to shadow it For example, in the past the company intranet was really nothing more than a number of connected machines acting as a storage repository. Yes, you could access files, but you couldn’t work on them simultaneously nor could you really communicate well with anyone within the organisation through email. Knowledge sharing on the intranet was also a problem in that it wasn’t ever being shared around the organisation, so only a few people had the knowledge and they could easily take it elsewhere. The modern intranet is a different animal, it contains social media and Web 2.0 aspects which help employees to better collaborate and do their jobs. Shared workspaces, phone and video conferencing and unified communications have transformed the intranet so that it’s barely recognisable to what it was just 20 years ago.

Employees and the Consumerisation of IT

Employees are consumers too and they have discovered technology in a big way. This means that many of the social tools that are now used on the intranet can be considered the use of shadow IT. To overcome this, it’s necessary to first understand that by providing the tools, or allowing your employees to use them, you’re helping your own business to boost productivity and revenue. However, you can’t just let anyone use anything on the network, as it does need to meet with compliance and to protect data and often, consumer-grade products are just not up to the job. For example, last year it emerged that VoIP app Skype was leaking data that was sent using its chat feature and this isn’t the first time we’ve seen issues with the software. This is of course because it’s very popular and things that are used by a lot of consumers are naturally more frequently attacked. Whilst some employees will be quite tech savvy, it’s safe to say that not all will be and as such, shadow IT presents a problem in that it’s impossible to effectively monitor every person, device and application that’s being used. IT technicians know that it’s most often the end user that causes an issue with IT, so this risk must be mitigated.

Policies and Procedures

shadow it To discourage shadow IT, it’s necessary to come up with sound policies and to enforce them, making it clear to the user that if they’re not adhered to then they will be disciplined. An outright ban on shadow IT won’t get the job done though; as Computer Weekly point out: “Taking the IT reins off the business will help organisations to respond more quickly, and to exploit technology to generate more innovative ideas.” This means that for those employees who are au fait with technology, they should be given the opportunity to source their own services within an approved list of suppliers provided by the organisation in the policy document. Since this is what appears to be happening anyway in many organisations, only without approval, it would seem that many have little to lose. To help with this:
  • Talk to suppliers to come to agreements on licensing and use
  • Create policies that set out how applications should be updated
  • Create policies surrounding AV software on mobile devices
  • Allow departments to control their own IT budget for approved software
  • Ensure that employees know the key differences between consumer and business grade software and why those differences exist
  Shadow IT can actually help an organisation to become more agile and innovative, it’s all in the way that it’s handled. As long as the workforce are aware of policy and the implications when it comes to security and compliance, then you should be able to control the use of shadow IT. This does mean that compromises have to be made on both the part of the employer and the employee if it’s to be effective though. A modern MDM (Mobile Device Management) solution should be used for BYOD alongside trusted cloud providers and other suppliers, and a sound policy document created for all employees. Add your usual layered security practices to this and there’s no reason why you can’t turn shadow IT from a suspected negative, into a positive.

Get in touch with us today

To discuss your requirements with one of our friendly sales team