How to detect shadow IT and why you should

Use of ‘shadow IT’ in businesses and organisations, weakens security and leaves infrastructure vulnerable – and it’s on the rise.  

Find out how, and why it’s important, to detect shadow IT in use by your workforce. As well as the business case for allowing employees to use the technology they feel they need to get their job done.  

Have you heard of ‘shadow IT’?  

If you don’t know what shadow IT is, read our previous blog explaining all about shadow IT, and some of the stats and security weaknesses it poses for businesses, in The dangers of shadow IT.

In our continuing exploration of shadow IT and the risks it presents to businesses, but also the positives of shadow IT (yes there are some) we look at how to spot shadow IT and what to do to manage and make it viable and safe for your business. 

The business case for shadow IT  

Use of unsanctioned apps by employees presents significant security weaknesses and challenges for organisations. Increasing cloud usage, exacerbates the use of shadow IT further, putting company data and systems at risk in unsanctioned, unregulated and vulnerable environments. 

It’s estimated that up to 50% of organisations’ SaaS (Software as a Service) estate is operating outside of IT protocols and compliance at any one time. However, it’s also the case that employees cite ‘just wanting to do their job’ as a reason for downloading and using their own apps. 

Use of own apps shows initiative and productivity  

97% of IT professionals say employees are more productive when they’re allowed to use their own, preferred technologies.  

Because of the gap in businesses that commonly occurs between the needs of the business and IT departments, shadow IT comes into play as employees under pressure search for new and better ways to get their jobs done.  

While unregulated, employees striving for efficiency is to be encouraged, and presents a strong business case for shadow IT being detected and regulated for use as legitimate, security-compliant and safe.  

How to find and manage shadow IT 

Adopting a shadow IT governance process will help to bring shadow IT into view and under control. 

1. Use automated means of discovery 

Employee surveys are never going to be accurate, plus they’re time-consuming. Use an automated SaaS management tool, or software asset management tool, to discover what’s actually in your environment. 

2. Create an inventory 

Create an inventory where you can store data for each application: owner, number of licences, users, spend, renewals, etc. An inventory will help you to assign accountability. 

3. Establish risk assessment management 

Carry out risk assessments for everything in the inventory, i.e. is the application associated with a security breach? Establish where data is stored, analyse certifications and find out whether the vendors are future proofed. Is there potential for future value / risk for your organisation? 

4. Analyse usage 

Without data on usage you can’t hope to approach an understanding of ROI (return on investment) in relation to your business functions, or any overlaps in usage, as well as inactive platforms. Use automatic monitoring to gather this data. 

5. Rationalise use 

You’ll need to define your organisation’s needs and future goals to effectively evaluate and rationalise the shadow IT apps in use. Are they essential, under-used, have potential for the business going forward? Do they genuinely support core workflow and employee efficiency? Can they be safely rolled out and is there value in doing so? 

6. Instigate best practice buying and renewals process 

Once you’ve established the apps into your compliance and security protocols, and rationalised those that have potential for your business, the process and communication channels around buying, usage and renewal can be implemented, along with employee onboarding.  

7. Continuous monitoring and review 

Monitoring your network and cloud environment will need to be constant to keep up with policy changes and security breaches. Use automated monitoring and a regular review process to ensure no sensitive data is disclosed to unauthorised sources/vendors, that employees are using applications within compliance and costs are under control.  

See shadow IT as an opportunity 

Detecting shadow IT for genuine exploration of better, more efficient ways of achieving workflow is a progressive approach organisations can take to bring shadow IT under control. But it must be carried out in accordance with the organisation’s security policy, and with clear protocols for use of any new applications going forward. 

For a more technical tutorial on discovering and managing shadow IT apps, view Microsoft’s tutorial on shadow IT.

Alternatively, if you’re concerned about the use of shadow IT in your organisation and need help to being it into control and compliant with your security protocols, get in touch without IT experts today. 

 

< Read more articles on our IT Academy