The term “Shadow IT” (also known as “rogue IT” in North America or simply “phantom computing” in France) has been popularized over the last decade to refer to all information and communication systems implemented within a company without the approval of the IT department.
According to the U.S. based Gartner, which regularly explores this topic, it refers to “software, services or computing devices which are not owned or controlled by an organization’s IT department”.
Being “out of control,” Shadow IT creates significant risks for companies. Using key figures (from recent third-party studies) and targeted findings, let’s focus on how this phenomenon threatens our livelihood and the integrity of our data.
It all starts with the employees
According to a study by the consulting firm Frost & Sullivan, “more than 80% of employees admit to using IT solutions without the formal approval of their CIO.”
Shadow IT is therefore a massive phenomenon, and the company must learn to defend itself. It’s estimated that out of about 20 SaaS applications used within a company, seven haven’t yet received approval from their IT department—more than a third!
Without bad intention and quite the contrary (because the motive is very often to improve their productivity), the employees themselves are the ones who invite a Trojan horse into their company… because they’re completely unaware of the risks.
Here are four situations in which Shadow IT inevitably develops:
- Employees consider that the tools their IT Department offers them do not meet their business needs.
- The CIO is not responsive enough or doesn’t understand the business needs and constraints.
- Employees feel they have no other means of obtaining the data they need for their missions.
- Tools are so simple, fluid and almost instantaneous (Google Docs, Slack or Dropbox…) ”These apps can be downloaded in one click, so any need to notify the IT department may seem superfluous.” (Openip)
Thinking they can solve problems and save time, they create multiple risks for themselves, their coworkers and the entire company.
Multiple uses that are as many threats
According to the 2017 Shadow IT Report by CESIN, CIOs estimate their company uses an average of 30-40 cloud applications and services. In reality this figure is largely underestimated: we’re talking about 250 to 5,950 cloud apps per company, with an average closer to 1,700 apps (2017 Shadow IT Report). That’s a huge, disturbing perception gap of the need for Shadow IT control and prevention.
The cloud storage revolution has enabled businesses and individuals alike to take advantage of the cloud, or rather “clouds”. In its latest report ,Symantec counted more than 22,000 cloud applications with a business aspect and enabling information sharing! So many temptations for employees to import their favorite software into their company.
So, what are all these applications, cloud services and equipment that IT departments haven’t approved, and which vary greatly from one company to another?
- social networks: Twitter, Facebook, Whatsapp
- storage and file sharing: Google Drive, Dropbox, Wetransfer
- personal messaging: Outlook, Gmail, Yahoo
- video sites: Youtube, Dailymotion
- personal devices: computer, tablet, telephone
- search engines: Google, Ecosia, Yahoo, Qwant
Another Trojan horse: the BYOD (“bring your own device”), which the CNIL defines as the use of personal computer equipment (tablet, telephone, personal computer) in a professional context. Abolishing the seal between professional and personal lives, between professional and personal software and between professional and personal data, the provision by the employee of his or her own equipment is also a major danger for companies.
Also read: Navigating Urbanization and Governance Within the Enterprise Social Network (ESN): Benchmarks
Security flaws and risks of cyber-attacks
Shadow IT’s biggest threat? Cybercrime. According to the Gartner study, “by 2020, one third of all computer attacks will target Shadow IT.”
But a host of dangers await the company as it allows Shadow IT to progress within it, ranging from leakage of strategic data to the risk of virus infection and password theft.”
Here are some of the various risks and threats that Shadow IT represents for the company:
- security: data breach or theft
- cost: generally higher than solutions approved by the CIO
- compliance: inconsistent application of processes throughout the entire company
- dispersion of data and therefore loss of information
- lack of technical integration of the tools between them and therefore poor circulation of information
- durability: low durability (as an obsolete tool is immediately or at the same time replaced by another one)
- noncompliance with the GDPR (General Data Protection Regulation)
- reputation: risk to the company’s image in the event of a problem
A growing awareness nonetheless
According to a study published by Entrust Datacard, 77% of CIOs agree that by 2025, parallel computing will become a bigger problem in their organizations if they do nothing about it.
According to the results of the latest survey conducted by cyber security specialist Check Point and Dimensional Research, 95% of companies reported facing additional challenges with the implementation of large-scale remote access for employees and the use of unsanctioned IT tools (meaning Shadow IT).
The CIO is holding all the cards
To stop Shadow IT within the company and regain control over the tools/hardware/software employees use, CIOs can play several hands:
- develop a network of correspondents within each business line to enable reporting on IT needs (and shortcomings)
- provide more frequent assistance to business teams in the achievement of their projects
- offer to provide reactive and efficient help on IT integration problems between business tools
- … and raise employee awareness of risky behaviors
Indeed, of these, 42% say a clearer policy outlining how employees can request technology would help employees access new tools in a more IT-compliant manner. (source: Entrust Datacard, 2019)
Concerning the collaborative tools segment (which represents the bulk of Shadow IT), another approach is increasingly being taken by CIOs. To remedy Shadow IT, they’re choosing to adopt a collaborative platform that allows them to centralize, modernize and secure exchanges. A broad functional spectrum, natively integrated, which meets the essential business needs and thus avoids the employee needs for additional tools.
Also read: Seven Unbeatable Arguments to Convince Your General Management to Deploy an Enterprise Social Network
Are you seeking to drastically reduce the risk of Shadow IT practices in your company? The Talkspirit team is at your disposal to show you solutions and advise and support you in your project. Contact us or schedule a demo (free consultation, without obligation).
Authors: Benoît Renoul, Hugo Bessaguet
[Based on analysis of third-party studies, this article and its related infographics illustrate the causes and challenges of Shadow IT for French SMEs & middle-market companies, putting them into perspective with the aim of raising awareness among IT managers.]