Shadow IT leads to unquantifiable risks
According to a Microsoft estimate, larger organizations use more than 100 IT-managed apps on average and at least 900 other apps that are outside of IT’s control. The content stored in these shadow IT services can vary widely, but will certainly contain some confidential, personal, or sensitive data.
Shadow IT refers to IT applications that are created, deployed or used outside of a company’s central IT infrastructure (i.e., without authorization and with little or no control). These applications manifest themselves in Excel spreadsheets used for financial reporting to personal cloud storage accounts like Dropbox or Google Drive where sensitive information is stored. By this definition, shadow IT has existed since enterprising employees began trying to solve business needs with applications outside of IT.
The Corona crisis has changed the way companies operate. Many companies were virtually forced to allow their employees to work remotely in their home offices. Most often, IT leaders have accelerated digital transformation initiatives to support this change. As long as end user computing (EUC) is controlled, information security should not be compromised. However, various studies have now indicated that shadow IT is effectively practiced in most organizations, albeit to widely varying degrees. Such a practice can entail considerable risks, although these already existed before the Corona crisis, but have now been exacerbated by it (the krm described the problem in the 2015 Practice Guide under the heading “user-driven IT” (section 1.4.1)). But this quasi-dark side of shadow IT also has a useful side, known as “groundswell” (Forrester). Instead of locking and inhibiting users, they are empowered (within reason and control) to drive change through previously unauthorized apps and tools that help businesses continue to grow and adapt to changing needs. Many CIOs already recognize this.
Fundamentally, the risk of an organization’s shadow IT lies in the lack of visibility, security and control of these applications. They compromise business continuity, reporting accuracy, and can expose the organization to non-compliance. Some scenarios and operational risks that have far-reaching reputational and financial implications are:
- The IT department is bypassed and therefore cannot ensure that adequate security measures, such as access controls, are in place to prevent security breaches
- the compliance department does not know that certain cloud services are being used
- of IT security, it is not possible to detect and respond to security breaches in unidentified cloud services. .
- Strictly confidential personal (DSGVO relevant) information, is sent to unsecured mailboxes
- Other sensitive data stored on free cloud storage account
- Improper logic in investment tables leading to large losses
Regulators and audit teams have now become increasingly aware of these applications in the wake of the Corona crisis and are calling for their identification and control.
What can be done?
As always in such cases, there is a call for a policy. Such an inventory would first have to identify the criticality of an End User Computing (EUC) application and evaluate it as such, and then include it in an inventory in order to control it: cf. the following scheme:
Source: White paper Apparity
In the worst case, shadow IT creates the risks described above and the fear of the unknown in companies. At its best, shadow IT drives key business outcomes with unparalleled flexibility and ease. Arguably, the solution for a company is to strike a balance by controlling the former and enabling the latter.
Apparity (2020): Shadow IT Risk Looming Larger than Ever with Working Remote
AvePoint (2020): Collaboration Risk Minimization Guide
Workshare (2015): CIO Insights: Bringing Shadow IT Into The Light