Q & A: Brian Timperley on Shadow IT

By 19th Jun 2019 Blog

What are the biggest challenges of Shadow IT? Please outline at least three and explain why these are defined as challenges in the enterprise context.

One challenge with staff using applications that are not authorised on the network is licensing, or lack thereof.  Especially if they’re being used for commercial use. There are both financial and reputational costs associated with running unlicensed software.

Another challenge is the potential for a security breach. Hardware used in the “shadows”, such as external hard drives and USB sticks can contain malware, and in some cases, ransomware. Unauthorised applications can also install viruses on the network. This adds to the already high-risk cybersecurity threat that businesses face today.

Thirdly, the use of shadow IT in the form of games and social media apps can negatively impact productivity and employee engagement. This is a challenge as employee engagement is already infamously low in South Africa.

 Please explain how to resolve each of the challenges that you outlined above. How can the enterprise harness/stop/embrace Shadow IT in these specific contexts?

Regarding the use of unwanted/unauthorised applications, you can educate users by having a pre-approval process before anyone downloads or brings any device onto the network.  You can then enforce it with a software-based Group Policy which simply doesn’t allow software or hardware onto the network.  Another aspect to look at is BYOD – some organisations segment their network so that these devices have their own network that won’t negatively impact the business.

The security challenge is difficult to resolve, but here, education and awareness is critical. Businesses must educate staff around the risks involved, as well as how to deal with these risks. Regular testing and simulations can be very valuable as well.

When it comes to the productivity challenge, businesses can implement monitoring tools to watch Internet browsing, application use, and the network.  In our experience, the simple act of letting staff know that the Internet is being monitored greatly reduces consumption of non-business related apps.

 Can Shadow IT ever emerge from the shadows and become a standard part of business operations? How?

Yes. The key is to manage your organisation with an understanding that Shadow IT exists, and make sure that it doesn’t get out of hand or impact productivity.  Controlling Shadow IT too much leads you to manage your business for the employees you know will abuse the system, which means policies based on the worst employees. This can mean your best employees suffer and don’t have access to the freedom that allows them to be more innovative. If you educate, implement the tools to monitor, and monitor the people that are abusing it, you can manage your business for the best employee.

What drives the adoption of Shadow IT and why isn’t this driving IT?

Any application or IT hardware which is not business related and not sanctioned by the business amounts to Shadow IT.  However, people become comfortable with applications, hardware, and support that they use regularly  (i.e. WhatsApp, external hard-drives and family members who fix their IT issues). So it’s often almost a reflex for someone to default to these items.  Accessibility is also something that spurs Shadow IT because free, easy to use apps are more accessible and everyone is always carrying their cellphone.

Another element that can ignite it is people wanting to try new things; they end up liking an application and introducing it to others within the business. This can also happen due to frustration.  Maybe the company sanctioned tool for collaboration is slow and not available on a cellphone.  There are numerous free apps which are fast and easy to use and employees might make the switch just to operate faster.

The reason it doesn’t ‘drive IT’ more generally is because Shadow IT, by definition, sits outside the domain of control of the organisation. The effort to enforce zero Shadow IT is impossible – that is why it must firstly be acknowledged, and then managed intelligently.

Leave a Reply