What is “Shadow IT”, and how is it draining your budget?

What is “shadow IT”, and how does it drain budgets?

Your employees are probably using it right at this moment, but what is it?

Shadow IT is tech that employees adopt without your IT department’s knowledge or approval: private cloud drives for document storage, personal phones for email management, instant messaging services outside of the purview of your company’s ecosystem. Really, anything along those lines.

As part of our series on complexity in Information Management, we looked at how information management became so complex, showing how organizations ended up juggling multiple platforms. Our second piece explained why employees waste hours each week searching for documents. Now, let’s discuss shadow IT.

Why isn’t it noticed?

Your staff aren’t looking to create problems when they start using shadow IT. Quite the opposite, they’re looking for convenience in an often complex internal software ecosystem.

For instance (and we’re talking about real experiences we’ve had with clients), a marketing manager might use Dropbox to share files with freelancers because

it’s easier than your internal system. It’s worth noting that the perceived clunkiness of legacy IT systems is a big part of why employees adopt these services in the first place.

Why does it end up costing more?

The unnoticed spend drive by specific departmental frustrations also means you could have an ecosystem where subscriptions are being duplicated all over the company, although this is admittedly more of a risk for medium to larger sized firms. Your HR, marketing, and sales teams could all be paying separately for platforms.

The most obvious risk: security and reputation

It’s a basic truism that unapproved technology creates vulnerabilities. Employees rarely think about security implications when adopting personal apps or cloud services, after all, these are things that happen to other people and companies, not them. A lack of oversight means there’s no best practice implementation for things like strong passwords either.

And here’s the tangible reality: the IBM Security X-Force Cloud Threat Landscape Report states that nearly half of all cyberattacks link directly to unmanaged or shadow IT. So this isn’t just a hypothetical risk, it’s one that is causing enormous reputational and compliance costs to businesses every year. Consider the example of British Airways, who faced a £20 million fine after customer data was exposed through an “unmanaged entry point” (shadow IT).

The good news is that simple policies and staff education can also make employees aware of how their actions impact overall security. As with essentially all our guidance, it boils down to one, being holistic from the top and two, ensuring simplicity from the ground up (employees who find your vendor stack easy to use aren’t even going to use alternative platforms).

The impact of compliance law

You’re almost certainly familiar with regulations like GDPR and the enormous cost implications of not following them (4% of annual turnover!). It may seem like basic advice but when everything from P&Ls to strategy roadmaps are scattered across multiple platforms and unmanaged applications, meeting these standards becomes functionally impossible.

So how do you minimize the risk?

1. Audit, audit, audit: Identify all software, cloud services, and platforms currently in use across your organization. Include a survey to understand why unofficial tools were adopted in the first place. This isn’t about ascribing blame

2. Consolidate and simplify: Once you identify what’s redundant: merge and streamline subscriptions.

3. Pick approved software that’s easy to use: As we’ve said, your employees use shadow IT because approved systems feel clunky. By providing intuitive and easy-to-use alternatives, you encourage compliance naturally.

4. Who is in charge? Make it visible: Clearly assign responsibility for different types of data and establish straightforward rules for technology adoption. If you’re not already using SSO solutions, do so.

5. Educate and train employees: Perhaps the most important step, and build this into any onboarding so they’re aware of the risks and tech landscape of your company from the very beginning.

Getting started

Shadow IT is just one part of the problem within the broader framework of Information Management. If you want to get deeper and get practical strategies to simplify your information management, read our full guide, Challenging complexity in information management.