Question: What do Skype, Drop Box, MSN Messenger, Excel Macros, personal mobile devices, and employee owned USB drives have in common?
Answer: Your IT Department hates them.
In an increasingly fast-paced work environment that comes fully equipped with clunky business-enterprise apps, employees often skirt around corporate policy and find their own technology solution for their everyday needs. This trend is known as Shadow IT. Cue the ominous vampire music. Sounds scary eh?
Shadow IT is hardware, software, or systems that are acquired and used in the workplace without the knowledge or approval of the IT department. Common examples of Shadow IT are Drop Box for file sharing or cloud storage, using Skype for video conference calls, or installing software on work devices without IT approval. The common driver for this type of behavior is simple: it works for me at home, so why not in the office!?
In large organizations, getting the IT Department to approve, vet, or create new technology can be extremely time consuming and bureaucratic. Deploying new systems through traditional means can take months, if not years, to be fully implemented, leading employees to go searching for an alternative. Why? They want to be productive now, not when IT is ready.
The road to Shadow IT is paved with good intentions. Employees who are going around traditional IT rules for web apps and productivity tools aren’t being nefarious, but they may be causing harm to the organization.
In a previous life, I worked for a SaaS provider that dealt with companies all over the world. We had a team of about 15 sales people that would give a variety of online sales presentations throughout the day, using one of several available demo rooms to conduct the online web conference. Since there was no easy way to transfer Power Point presentations from their desktops to the demo room computers, people would regularly use their own USB, Drop Box, or their personal email account to move their presentations and files around the office. The alternative was to remotely login to your desktop computer from the demo room, which was time consuming, slow, and often unreliable.
While the presentations would be conducted effectively, these sales folks did not realize that sensitive company information, including prospect lists, client data, pricing information, and screenshots of trademarked software, was being removed from secure, enterprise systems, and being placed on loosely guarded public clouds, flash drives that could easily be lost or stolen, and much worse. Security was ignored for sake of efficiency.
In 2014, nearly 7 million Drop Box accounts were compromised when hackers dipped directly into Drop Box’s servers. While security is definitely at the top of the list for reasons to prevent shadow IT, there are many other reasons that employees should avoid the practice. Here are a few:
We cannot get away with only mentioning it once. Shadow IT practices leaves companies vulnerable to competitive intel leaks, possible phishing scams, and significant data breaches. More often than not, large scale data breaches are caused by employees using non-IT approved systems for work purposes.
Procuring systems and tech without IT’s knowledge can make it more difficult for companies to comply with standard compliance initiatives, such as:
- SSAE-16 Compliance
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Control Objectives for Information and related Technology (COBIT)
- Federal Information Security Management Act of 2002 (FISMA)
- General Accepted Accounting Principles (GAAP)
- Health Insurance Portability and Accountability Act (HIPAA)
- Information Technology Infrastructure Library (ITIL)
- International Safe Harbor Privacy Principles
Shadow IT makes it difficult to track proper ROI on business systems. Also, IT might have to replace or properly vet your sneaky system down the road, which increases the IT logjam for the entire company.
This is most prevalent in the “Excel Macro” or “Personal Access Database” world. Employees who create their own business systems using Microsoft Office products are often the only ones who know how to use them. If that employee leaves, the important system will leave with them. These systems also are probably not in line with company policy.
Angry IT Manager Syndrome
People generally do not have bad intentions when they engage in shadow IT practices. They simply want to get their work done. They most likely do not even realize they are disregarding policy. However, it is important to remember that if (more likely when) your personal tech product causes an issue, you will not be the one who will have to clean up the mess.