Bringing remote workers out of the shadows

Just when you thought you had a handle on shadow IT, along came  2020 and with it, a more scattered workforce than ever before. 

Even for companies with robust BYOD policies, many likely fell by the wayside as employees began working from home, using whatever devices they had on-hand, and even installing SaaS apps as they saw fit.

Shadow IT -- individuals or business units creating and managing accounts without the oversight of IT or security personnel -- create serious governance challenges. 

"I'm not sure if shadow IT is cropping up again – I don't think it has ever left,'' says Justin Rodenbostel, vice president of solution delivery at tech modernization firm SPR. "It's easier than ever for individuals or teams to spin up their own infrastructure in the major clouds."

Rodenbostel adds that he sees companies struggle with the governance implications of shadow IT, but that the motivation is rarely malicious. "The work being done in the 'shadows' isn't a result of working around governance," he says. "It generally happens when a team wants to experiment with something new that they think will help them be innovative or more efficient before investing in a formal effort."

The problem is, sometimes these projects can grow rapidly or become critical to running the business before they are incorporated into the organization's governance policies, he says.

Organizations are collecting an unprecedented amount of sensitive personal information from employees and customers thanks to the pandemic. "Yet, data governance practices are regressing, with fewer dedicated resources to data privacy than in previous years,'' according to Gartner. 

Often, employees are not aware of the associated security vulnerabilities and threats to which they are exposing their companies. But because most public cloud vendors have a policy of shared responsibility, employees have to assume some of the responsibility for data leakage or other security or compliance repercussions caused by shadow IT in cloud environments. 

Employees want to be agile

Even if IT made concerted efforts to provide sanctioned technologies, "If they are not meeting the needs of employees, then that's where you see a lot of the disparate shadow tools start cropping up,'' says Kaumil Dalal, director of the technology practice at West Monroe, a national business and tech consulting firm.

Some 62% of remote workers are using rogue applications – with 25% using a significant number of unapproved tools outside of the official IT policy, according to a 2020 report from  Netmotion. These include productivity and collaboration tools.

This does not surprise Dalal, who saw shadow IT re-emerge more acutely at the beginning of the pandemic. The increase in remote work created "a need for agility" among employees, he says.

Many organizations are now looking at a hybrid work model, which means there will be new tech implementations to support on- and offsite work. This is something small businesses, in particular, need to consider. Shadow IT is a common issue for small businesses because many do not have mature IT functions or they have outsourced their tech needs, Dalal says.

How to bring security risks out of the shadows

To help businesses gain greater visibility into what employees are using, Dalal advises clients to focus on the employee experience, or what he refers to as "employee personas," to determine what they need to do their jobs efficiently.

"So you're putting employees at the center rather than the tools and technologies,'' he explains, adding that a persona might be a product team, which has different use cases for tools than a group in shared services.

There are also teams that will need to collaborate more heavily with other, cross-functional teams, Dalal says. "It's more about figuring out what are those use cases … and really understanding the job role."

But before that happens, companies should figure out whether they have a shadow IT problem. They can do this by monitoring their network and understanding where data resides, Dalal says. Scanning tools can help with some of the telltale signs, such as flagging when employees were using company-issued devices and are now logging into the network with different devices. 

Once those issues are identified, the business can make a determination about what tools will help enable that team and ensure that they are onboarded properly.

It's also important to establish guidelines around apps and cloud services, as well as a list of approved software and apps if a BYOD policy is in place, so that everyone is aware.

"There should be processes in place to quickly approve new apps that business people are asking for,'' Dalal says. Providing employees with secure, anywhere-anytime access to information may also help reduce the risk of shadow IT, he says. "If employees are not getting access to information when they're on the go, a lot of times, you start seeing business units going in and getting certain apps in the cloud on their own. If IT can help be a solid business partner with anywhere-anytime access to information, that will help alleviate some of those scenarios."

Rodenbostel agrees, saying that the key to dealing with shadow IT is collaboration. "Governance policies need to allow for controlled experimentation by teams,'' he says. "But on the other hand, teams need to understand the importance of governance policies and what risks shadow IT poses to the organization – especially security."

While shadow IT often has a negative connotation, that doesn't have to be the case. The key is to open the lines of communication so that leaders have the insights they need to keep their businesses safe.