Shadow IT

What is Shadow IT?

While it sounds dark and mysterious, Shadow IT is simple: it is the concept of staff members selecting and utilizing IT resources (software, cloud services, vendors) or computer workflows without the input of an organization’s leadership, or IT department. Small businesses are particularly prone to Shadow IT given the ‘get it done’ mentality of our amazing workforce members.

To clarify: there is nothing wrong with an organization (and in some cases, a department) selecting and using IT constructs, building workflows, and getting work done. Shadow IT is when these things happen without the IT department or leadership being aware.

Shadow IT is dangerous and expensive for several reasons, including:

• Shadow IT threatens business continuity in cases of disaster or systems failure
• Shadow IT exposes organizations to new risks, which go unaddressed by IT or Management
• Shadow IT makes staff turnover more expensive due to the lack of standards and processes

As a small business, it’s easy to think that Shadow IT isn’t a real issue for you. The truth is that small businesses are not only susceptible, but frequently encounter Shadow IT.

Owners and management often leave staff to create their own means and methods to get work done, and sometimes that staff may use new IT tools in those workflows, or store company data in unexpected locations. Below are a few examples of Shadow IT that we encounter daily. Any of the following practices being implemented or used by an employee without the knowledge of an organizations leadership or IT Department should be a cause of concern:

• Cloud storage services such as Dropbox, Google Drive, etc.
• Free or unauthorized email services being used to conduct company business
• Remote access tools such as GoToMyPC being installed/used
• New software such as a new accounting package being installed on 1 or more computers, and/or the database thereof stored on a workstation
• New repositories of sensitive information being created on a network share
• The use of removable storage media by staff to access their documents wherever they go (aka thumb drives)
• Personal subscriptions, products, or services used to conduct business

So, what can you do about it?

Culture: One of the primary things you can do about rogue and Shadow IT in your organization is address it with onboarding, culture, and behavior from leadership. Make the sanctity of company data part of your training, and exhibit those principles yourself. If team members see leadership being casual about company data and resources, they will only magnify that attitude.

IT Mandate: An IT department without a mandate is just a helpdesk. Hopefully, you see and use IT as a resource to answer, ‘how should we solve this technological problem?’ Beyond that, you should provide your IT department with a mandate: “Protect my organization from Shadow IT and allow only best practices within my organization.” (We look forward to covering ‘An IT Department’s Mandate’ in future editions of DTP’s Tech Talk).

Keep IT and Leadership Informed: This is cultural as well, but anyone implementing something in the organization should have a habit of making leadership and the IT department aware of it (new applications, data sets, procedures, etc.). Leaders can encourage this behavior by being involved in operations to a reasonable degree without micromanaging.

Documentation: An area of major improvement for our own organization over the last several years has been the documentation of processes, procedures, and lessons learned. Cataloged in a company wiki, these items provide fast ramp up for new employees and a source of truth for everyone. As a matter of habit, all procedures, systems, and workflows are documented as much as possible.

Create (and Test) a Disaster Recovery Plan: You can locate some elements of Shadow IT by actively testing your disaster recovery plan. If the test is genuine and involves IT, it will shine a light on those areas of darkness not covered by backup or other recovery options.

Auditing: Periodic audits of mission critical systems with the IT department (specifically the backups, and disaster recovery aspects) is a critical business habit. HIPAA covered entities are mandated to perform an annual risk assessment, which can easily also include an audit of all systems in use.

Don’t Assume IT is Omnipresent: Many people assume that IT is an always present, constant big-brother-esque operation. The truth is pretty far from this. IT people are human beings, with limitations, and we don’t have magic lenses to analyze your business with. We need your help to make sure all bases are covered.

Most of the above areas of concern fall into what should be called ‘Working ON your business, not IN it.’ As small businesses, we have to deliberately make time to work on our businesses. We are honored that our customers trust in us for their IT needs, and we would welcome the opportunity to further help you work on your business.