“Shadow IT refers to software (external or internal), applications and cloud services outside the ownership or control of the IT department.”
In today’s fast-paced working environment, employees tend to rely less and less on IT departments. The use of workplace technology has never before been this accessible and essential and employees are increasingly confident that they can work independently from IT to decide on their own external tools and solutions. In fact, a 2016 survey by NTT Communications found that out of 500 private-sector decision-makers:
- 77% said departments used cloud services without the involvement of IT
- 83% use free, unsanctioned cloud storage apps (Dropbox, Google Drive, etc.) to store company information and
- 71% admit this has been going on for multiple years.
The problems related to such unsanctioned IT activities become clear when looking at their escalating potential. That is, it is difficult to identify them until it is too late. For instance, IT might not notice an employee’s use of an unsanctioned cloud service until after a major privacy breach has caused significant reputational and financial damage. Other consequences include the severe risks of business discontinuity, data breach, non-compliance, hidden costs or veiled performance, as addressed during this webinar on shadow IT. In ITSM, it is increasingly evident that shadow IT activities might be more than just a small problem in organizational operations.
To handle Shadow IT, an organization first has to define what are considered “sanctioned” services. It can then put in place a solution to discover and continuously monitor end-users’ unsanctioned and unwanted software consumption activities through comprehensive data collection and interpretation. From there, two different management approaches appear: hard or soft.
The Hard Approach
This refers to the enforcement of strict rules, ranging in severity depending on the activity. For example, setting proxy limitations, removing admin rights or even preventing application execution. This approach essentially aims to set boundaries to force users into compliance.
However, this might not always be the most effective method – limitations are the enemy of creativity, offering security at the cost of productivity. It is therefore important to find the right balance between restrictions and flexibility in order to allow the business to remain fast and innovative.
The Soft Approach
More user-centric, this approach focuses on engagement rather than enforcement, through awareness creation and direct end-user feedback. It enables the understanding of user requirements and the communication of the costs and risk associated with unapproved activities before any actions are taken. For instance, after identifying unauthorized software usage, an awareness campaign can be initiated with Nexthink Engage to notify the targeted users of its dangers and subsequently prompt them for feedback and recommend alternative compliant software.
By employing such “softer” methods of continuous monitoring and pedagogical user engagement, organizations can gain control over what was previously uncontrollable. They can not only know the who and where of shadow IT activities, but also the why, to pave the way for improvement in employee communication and satisfaction, as well as overall business well-being. Evidently, not all organizations can afford to be flexible when it comes to compliance (due to regulatory or industry requirements), but this should not deter them from the vital benefit of engaging with their end users.
To watch the full recording of the webinar, please click here.