Sending workers home to work altogether created plenty of problems for IT. Although plentiful, the challenges were not limited to the ever-shifting logistics in setting up popup branch offices in various remote home environments. Employee skill sets, or lack thereof, also pushed IT resources and workloads to the limit.
The average employee required crash course training and an overwhelming amount of support on everything tech related. Meanwhile, many of the more tech-savvy employees worked diligently to find workarounds to sluggish business processes and the extra guardrails IT put in place. A growth spurt in “Shadow IT,” the cloud services and hardware that are unsanctioned and invisible to IT, was inevitable.
Examples of Shadow IT in the best of times include the following, according to Arctic Wolf:
- Cloud-based collaboration and file-sharing applications, such as Dropbox and Google Drive
- Devices such as laptops and mobile phones
- Third-party apps that use OAuth tokens (using credentials from a corporate app like Office 365)
- Infrastructure-as-a-service (IaaS) and platforms-as-a-service (PaaS), such as a software-development project built on Azure or AWS without IT’s knowledge
But this past year pushed past the former good times. More than a few employees moved Shadow IT home with them and expanded its encroachment on IT’s carefully walled gardens.
According to a recent survey, “a staggering 63.5% of respondents have created at least one account in the past 12 months that their IT department doesn’t know about.” More than half (51.8%) of that 63.5% said they created between two and five accounts without IT’s official blessing. Another 15.8% said they had secretly created more than five accounts. An array of other percentages pointed to employees with hidden accounts that numbered somewhere between these two extremes. But the bottom line is that IT is blind to all of it.
A year after the pandemic-fueled mass worker migration, what does Shadow IT look like now?
Shadow IT on the Home Front
Shadow IT surged in the hands of a home-based work force largely because workers were less restrained from working across devices and apps in their home environment. Put another way, the concept of BYOD (bring your own device) to work soon gave way to BYOW (bring your own work) to your home. Workers were quick to ditch corporate devices and tools and replace them with their faster and feature-rich consumer counterparts.
In terms of IT headaches, Shadow IT is a monster. According to a recent Check Point survey, one of the top three IT security challenges is “employees working from home were using shadow IT solutions – untested software, tools and services (47%).”
While Shadow IT may be out of reach for IT, it is certainly within the grasp of criminals and that creates “shadow risk, the unknown unknowns,” as BMC calls it. There have been a few studies aimed at measuring at least some of this shadow activity in order to better understand the breath of the attack surface it creates. The results are alarming. For example, McAfee found that “Shadow IT cloud usage is at least ten times the size of known cloud usage.”
Shadow Risks and Shadow Gains
Historically speaking, Shadow IT was initially limited to “unapproved Excel macros and boxes of software employees purchased at office supply stores,” according to McAfee. Today it has spread exponentially across most cloud services and consumer devices, not from malice or rebellion, but largely from employees’ desire to work efficiently and effectively.
That means that most of the components in shadow IT were chosen to assist rather than harm the company. Even so, as Arctic Wolf points out: “what makes Shadow IT a high risk to your organization is your lack of visibility and control.”
However, that’s not to say that all of Shadow IT is necessarily dangerous.
“Not all shadow IT is inherently risky. Even apps with weak security may pose no danger as long as employees don’t use them to share sensitive information,” according to Arctic Wolf.
While companies must gain visibility and control over every corner of Shadow IT to ensure security and compliance requirements are met, it’s smart to leverage components with measurable positive impacts on workflows, processes, and profits.
“For example, for a few years a VP paid for a CRM out of her own pocket, bypassing the authorized system suggested by her IT team. When the company was made aware, she faced disciplinary action, despite that, thanks to this CRM, she was able to increase the company’s revenue by $1m per month,” according to a report in TechRadar Pro.
Steps to Bring Shadow IT into the Light
The key to mitigating risk is to gain visibility into Shadow IT so you can evaluate the components and make knowledgeable decisions on what to integrate into IT’s plans, and what to outright ban.
Some of the steps you can take to accomplish this include:
- Raising awareness of the issues with Shadow IT
- Creating a security culture throughout the organization
- Being open to employee suggestions for new or different technologies
- Providing employees with a checklist to help guide them through grey areas
IT can also monitor the network to detect, trace, and map any and all movement of company assets such as data, files, and accounts of all types. A zero-trust security model is also essential to ensure IT knows who and what is trying to access company data and other assets.
To facilitate a quick and more complete assessment of Shadow IT, consider praising employees for their efforts to raise productivity despite the stresses of working from home, rather than punish them for straying from the company’s path. After all, everyone was doing the best they could to get through trial by fire, or pandemic as it were. Now it’s time for everyone to take a breath and get things under better and more organized control.