Shadow IT could be your fault – what should you do?

Shadow IT, or use of staff’s own IT to do their job leaves your business open to risk. It goes on – but what should you do? Here’s a reasoned approach. 

What are you capable of doing when it comes shadow IT? 

Whether you want to encourage, eliminate or safely tolerate the use of shadow IT by your employees will largely depend on your knowledge of the risks and  your capacity to meet employees’ technology needs.  

If you want to eliminate all shadow IT outright, and the security risks it presents, do you, realistically, have the capability?  

If you want to encourage employee’s own IT, do you have the tech-security knowledge inhouse to ensure the tech used is safe and configured to correct protocols? 

What we don’t encourage is burying your head in the sand and pretending shadow IT doesn’t exist. In a recent report, of 400 workers surveyed, 35% said they used their own devices / apps for work. 

Case for and against shadow IT 

While the unregulated use of employees’ own technology – termed ‘shadow IT’ – puts your business at serious risk of a cybersecurity breach and non-compliance in data handling, there is a case for encouraging the initiative employees demonstrate in trying to get their job done. 

Isn’t an employee using their initiative a good thing for your business? 

Are you using the most effective technology? 

The main reason employees resort to using their own IT – apps and equipment – is their desire to get their job done, in the most effective, frictionless way possible. This doesn’t mean they’re lazy – wanting tasks to be as easy and quick as possible – it means they don’t have the technology sanctioned already to do their job in the most effective way. 

Advice from the National Cyber Security Centre is that shadow IT is “rarely the result of malicious intent”. 

Forward-thinking employees know that when employees can get their jobs done efficiently, their level of job satisfaction increases, and, consequently, their motivation to innovate, progress and develop – good news for their employer! 

Employees may hold the key to your innovation 

It’s often the people on the ground, doing the day-to-day who know what’s needed to perform operations to their maximum efficiency. Unfortunately, that information doesn’t always make it back up the line of command, or, crucially, to the IT department and the process of procurement.  

Communication is vital 

Talking to employees about how they accomplish their tasks, holding open communication about technology and what, in their opinion, is required to process workflow more effectively, can go a long way to uncovering the use of shadow IT. And, where appropriate, making it safe for use within your organisation.  

Changing the culture 

You may have a strategy regarding your business’s use and development of IT, and for staff engagement. But the fact is, the dominant culture of an organisation prevails, no matter what the strategy. 

Changing culture within an organisation requires engagement and two-way dialogue.  

Employees don’t want to feel worried they may not be able to do their jobs, if they’re suddenly banned from using their own tech. So it might be that engagement is first required, to build trust and reassurance that you’re going to provide the right tools for the job, or make safe and sanction their own IT. 

Staff’s own IT might do the job better 

Could it be that the cloud-based app your staff use is better at getting the job done than the tech and process you currently employ?  

Encourage the discussion and resource some expert advice and investigation. Can the app be safely integrated and configured? Can the correct licences be obtained cost-effectively? 

Foster open communication 

The last thing you want is for your staff to hide their use of IT. For this reason, the NSCC advice, and ours, is to never reprimand or sanction employees.  

Cyber security training for all staff could be a starting point, where online risks and the importance of security measures are communicated effectively. This then becomes an initial starting point for discussing use of personal IT. 

Assessment and planning for the future 

If you’re not sure what to do about shadow IT, start by finding out where, how and why it exists. Then you can ascertain the resources you need to deal with it, including staff training, technical assessment and strategic, forward planning. 

Do you need help to understand, assess and deal with shadow IT in your organisation? Get in touch. 

< Read more articles on our IT Academy