Designing a Program that Mitigates the Risks and Costs Associated with Shadow IT

Data breaches, security vulnerabilities, and compliance issues are just some of the problems associated with shadow IT, as well as the potential to violate regulatory requirements and risk being out of compliance.

by Erin Geiger, Director of Content at Lumos

Designing a Program that Mitigates the Risks and Costs Associated with Shadow IT

From emails to document-sharing software to apps, there are numerous solutions on the market that make work easier. Employees have everything at their fingertips, which is what allows them to download as many one-off solutions as they like. There’s just one not-so-small problem: IT probably doesn’t know about a lot of the tools and apps employees are using. Not only does this mean that they haven’t been vetted to see if they meet security and compliance standards, but they may also be exposing company data and information to malicious parties and increasing the possibility of a data breach. These unsanctioned apps lurking in the background are of course otherwise known as shadow IT.

A recent report revealed that 69% of tech executives say shadow IT is their largest security-related concern.

Shadow IT risk is what keeps IT leaders up at night. After all, it’s their job to protect the company, but they can’t protect what they can’t see. A recent report revealed that 69% of tech executives say shadow IT is their largest security-related concern. But how can IT leaders find and eliminate shadow IT? Our best practices guide will help you root out and obliterate shadow IT both now and in the future.

Managing shadow IT is no small feat because there are so many places employees can go to download what they want. IT staff are already busy enough; they simply don’t have time to find out every single unsanctioned tool or app employees are using. But every tool and app running under the radar poses a huge security or compliance risk, not to mention the potential for bloated licensing costs.

There’s a reason companies deal with shadow IT, and it’s because users aren’t getting what they need when they need it. Employees may find sanctioned tools cumbersome or inconvenient, so they default to using something that they’re familiar with and like. Or, the tools they need simply don’t exist in the sanctioned IT portfolio. Users may also venture outside of company-sanctioned apps because access requests take too long. If it’s thwarting their productivity, odds are they’ll go rogue and start shopping so they can keep doing their jobs.

How shadow IT impacts your organization

It all comes down to security and cost. Regardless of why employees use unsanctioned tools, the risks of shadow IT are still huge and can expose the company to serious consequences. Data breaches, security vulnerabilities, and compliance issues are just some of the problems associated with shadow IT, as well as the potential to violate regulatory requirements and risk being out of compliance. When there are unknowns around what apps are being used for what and by whom, security issues abound. On top of that, redundancies = avoidable costs. Odds are, employees are using separate apps that do the same thing. On the flip side, they might not be using an app anymore at all.

Data breaches, security vulnerabilities, and compliance issues are just some of the problems associated with shadow IT, as well as the potential to violate regulatory requirements and risk being out of compliance.

Shadow IT detection isn’t easy, which is why it’s such a problem for so many companies. However, shadow IT tools can help IT leaders understand the scope so they can start taking action. First, IT teams have to understand the problem. Where are the apps? Who is using them? And how many? Shadow IT solutions and shadow IT services can help IT teams perform a full audit of the network, applications, and devices, including monitoring user activity, system logs, network traffic, emails, and any other correspondence that might allude to unsanctioned downloads.

From there, IT teams can determine the number of licenses, usage frequency, when users access the software, and monthly spend. The results may even help IT teams consider adding new apps or tools to the sanctioned list, cancel unnecessary subscriptions, and negotiate better bulk licensing prices.

A strategic must, not a tactical afterthought

Create a shadow IT policy and broadcast it

Employees don’t know what they don’t know. Many are likely unaware of what shadow IT is, let alone any ramifications. The best thing any IT department can do is implement policies and procedures around shadow IT and communicate those policies regularly. Create (and enforce) policies that clearly define what’s allowed on the network and whether users can download any unsanctioned apps. If they can, when and how does IT get involved?

If not, is there a rapid approval process that doesn’t compromise security and compliance? Every IT department must determine the risks and benefits and be clear about what’s sanctioned and what’s not. From there, spell out the company's shadow IT cybersecurity policies and educate employees to prevent them from contributing to the shadow IT problem.

Leverage this policy to turn shadow IT into something that benefits the organization. This could spur on much needed audits that in turn can uncover unnecessary spend, ending in cost savings. As well, an improved security posture could result after discovering unsanctioned apps that could have opened the organization to a world of hurt via breaches.

Understand the productivity landscape for employees

A huge step for shadow IT risk management is understanding what users need. After all, the reason they download unsanctioned tools is because the approved list isn’t working for them or they can’t get what they need quickly enough. By finding out what’s working and what isn’t, IT can adjust the mix of tools the company uses and enrich the employee work experience.

Who introduced the company to the app in the first place? What were the reasons it was ultimately approved? Are those reasons still upheld by current business objectives? What expectations are employees being held to? Why are they looking for additional options? Exactly what are their working conditions and what is required for them to be successful when working toward goals and OKRs? Work with business leaders and use this information to better understand preferences, engage in conversations, move some unsanctioned apps onto the approved list, and negotiate better licensing prices than the one-off employee subscriptions.

(creating a survey or having actual conversations with employees throughout the org can be helpful as well, dependent on company culture)

Streamline access requests, SaaS approvals, and enable self-service

If users have to wait too long to get an app or access request approved, they’re far more likely to circumvent IT policies to download what they need. Every IT team should create approval workflows for all tools, which includes defining the approving party and vetting process. When IT simplifies the app or tool approval process, users are far less likely to get frustrated and far more likely to follow procedures.

Then, IT teams must determine how they’re going to give users access to new tools. Just like the tool approval process, access requests must be simple. For example, with Lumos, instead of requiring users to submit IT support tickets, IT teams can enable a self-service AppStore that integrates with their IdP to automate access requests.

This saves time by decentralizing the approval workflow and helps employees get what they need faster. Users can visit the AppStore and view which apps they can request based on their company roles. They can then submit access requests right through the AppStore, which automatically sends a notification through their communication tools, such as Slack or email, to the approver(s). Not only does this make life simple and easier for employees – it takes the work off of IT’s plate.

Audit regularly

Squelching shadow IT isn’t a one-time process. It’s also not stagnant. IT teams need to be proactive because it’s easier to nip it early than managing app and licensing sprawl months down the line. Shadow IT monitoring tools help IT departments monitor usage across unsanctioned apps, devices, email messages, and more to discover what’s lurking in the background. By investing in a regular auditing process, IT teams can catch shadow IT as it happens and rest easier at night.