You are using an ad blocker that is interfering with our web typography and internal javascript. Please whitelist our domain to live in a more beautiful world. No ads here, just really great software!

Experience Everywhere On-Demand: Learn how Global 2000 firms are approaching Digital Employee Experience in 2021. Get Access

Blog Post|5 minutes

The Spectre of Shadow IT

The Spectre of Shadow IT
published
January 22nd

It’s ok, I have an app for that

“What’s that? You want me to send you a large video file or something? No, that’s not a problem, it’s actually easy, I’ll just stick it on Box. Or DropBox, or stick it on WeTransfer and then we’ll do a quick Zoom to go through it – what? Yes, I know we normally use our own video program but Zoom is so much quicker.”

OK, that’s a bit of a caricature but it’s the sort of conversation that has happened thousands of times when people are working from home.

Until 2020.

Then the whole world was working from home as far as possible so you could imagine the conversation happening millions if not tens of millions of times.

So what’s actually wrong with someone using an app or other technology with which they’re already familiar?

Get the best pods, articles, & research in IT experience

Let’s get something straight. Nobody is saying that Box, DropBox, WeTransfer, Zoom or any of the other commonplace apps your colleagues may be using at home are intrinsically insecure. Everyone has seen reports that some of them are indeed unreliable but there have been strong rebuttals and constant updates.

This isn’t about whether an app is safe and secure. It’s about whether it’s authorized within an organization and this is important.

People who work in an organization, whether in the public, private or third sector, need to grasp the importance of corporate governance. This tends to become comprehensible when someone explains it to them. Essentially, the IT department needs to be able to assure everyone that a particular app or program is safe and will not interfere with corporate systems.

Good governance means the ability to lock down any potential risk and this means following documented, accountable procedures.

This may not be a matter of defending against malicious users or bad actors. Let’s suppose you had someone doing a lot of work on their phone or tablet and there was an issue with the corporate system, briefly, so they started using the mail client that came with their phone. Let’s say they also want to share a video during this system downtime so instead of using your authorized solution they send it via Dropbox or something else for which they happen to have the app.

Their objective is to get the document transferred and the communication around it done as efficiently as possible. The challenge they have unintentionally set the IT department is to support, or at least guarantee the efficacy of, any email program the device’s owner happens to have combined with any file transfer system they might happen to use. A quick search on the Google Play store throws out 250 file transfer apps for phones and tablets.

This is before they resort to putting the video onto YouTube with a hidden address, assuming no-one will see it if the link isn’t public.

Good governance means the ability to lock down any potential risk and this means following documented, accountable procedures. It’s why people use VPNs and it’s why a good suite of HR software takes care of the communication as well as the basic transactional functions. Clients are entitled to ask just how secure their data is and the IT team is accountable. The authorities are allowed to enforce their own strictures as well.

Not all employees will think this through when they decide to use their own systems on their own devices. It’s called “Shadow IT”, which means colleagues are using technology the IT team hasn’t authorized. In the vast majority of cases, it comes from a good place. People want to do the job quickly and they believe they know a more efficient way than the one locked down by the company. In their own home it’s easy to lose sight of the fact that they’re still on the company’s time so they start to use these programs they use with their friends and family.

IT’s up to you

See what we did with that subhead? Never mind.

Ultimately the decision rests with the IT team. You probably do trust your colleagues a great deal, but it can be about context. The Trusted Advisor website once said “I trust my dog with my life – but not with my ham sandwich”, and it’s similar in the case of personnel and their IT. Of course they’re going to do their best and aim to be productive and non-damaging. The issue is whether they have the competence not to introduce programs that are unapproved, apps with consumer-level rather than industrial-level security (where they are known), and whether they understand the ramifications of these tempting workarounds.

The chances are that they don’t. There’s no reason they should – those are the competences of the IT team. The solution is communication – ensure that your colleagues understand that any rules about what happens to information and data are there to ensure good governance and to reassure clients that they are safe when dealing with you.

A good IT department is an enabler rather than a blocker – it’s up to them to make sure people understand how they are achieving this.


Get the best pods, articles, & research in IT experience