What is Shadow IT?

When you first hear the term Shadow IT, it might sound vaguely ominous or even downright dangerous. And it can be. In simple terms, Shadow IT describes when an employee—or even an entire department within an organization—circumvents the IT team’s best practices and safety protocols to implement a change such as adding a device, software, or new accounts to their network.

It happens every day in networked organizations. Shadow IT is usually introduced by a well-meaning individual just trying to do their job. They decide that going through the official IT channels will slow things down, so they plug in an external device from home or download a free software program.

They might not realize it, but the consequences can be far-reaching, and sometimes even catastrophic for an organization. Enetics Networks receives most of its referrals from companies that had their operations compromised due to Shadow IT.

Why do Shadow IT networks exist?

There is often tension between the needs of individual employees or departments and the needs of the IT team. While employees look for ways to maintain or optimize their productivity, the IT team protects the network and ensures the organization continues to operate smoothly.

One of the most common reasons employees go rogue and set up their own IT solutions is that they think the IT department will take too long. According to a report by HP Wolf Security, nearly half (48 percent) of office workers surveyed said that they felt security measures were a waste of time. This mindset is a particular challenge with our future workforce; among office workers ages 18-24, that figure rose to 64 percent.

What’s the problem with Shadow IT?

For all industries, but especially those that are highly regulated, data security is a constant concern. When employees introduce new elements into the cybersecurity network that the IT team isn’t aware of, it can put the entire network at risk.

Remote access software is a good example of a Shadow IT vulnerability. It’s used routinely by employees who work offsite, but if the software and permissions aren’t maintained and monitored regularly, they might become conduits to a network breach. One of the most famous of this is the hack of a Florida city’s water treatment plant in February 2021. The attacker appeared to have used remote access software TeamViewer, which an employee had on their computer. Once inside the system, the attacker dramatically increased the levels of sodium hydroxide, also known as lye, set to be released into the city’s water supply. Luckily the attack was detected and reversed before that happened, but the incident offers a terrifying cautionary tale.

How can organizations minimize Shadow IT blind spots?

When businesses grow rapidly, employees often turn to the most expedient solution without checking with the IT team. For small and medium-sized organizations, this tends to be a common issue.

One thing you can do to ensure your employees are not compromising your cybersecurity—besides impressing on them the importance of following IT best practices—is to make that the IT team highly visible in your organization and responsive to requests. If your company outsources its IT functions, encourage employees to contact your IT consultants with any questions or concerns about new devices or software they’d like to use, or if the current network setup isn’t meeting their needs. This way, employees are less likely to become frustrated and try to solve problems on their own.

Regular employee surveys can provide insights into how well your current networking systems are functioning. If there is a high level of frustration in a particular area, it may require troubleshooting to find a more streamlined solution.

Here are some questions you might want to ask:

• Has there been a time when our security systems have posed a barrier to doing your job?
• How easy is it to collaborate with your colleagues on shared deliverables?
• Are the current project management tools meeting your needs?

And finally, while it may be an unpopular stance, here at Enetics Networks, we tend to discourage  our clients from having “bring your own devices” policies. We manage the software licenses for nearly all of our clients, and own and operate the network infrastructure and systems they use. This ensures that everything is up to date, and we can utilize Microsoft’s operating system approval mechanisms to prevent the addition of unauthorized devices and programs. Although not a fail-safe approach, it does reduce a common vulnerability many organizations unwittingly face.

Scott Ecker is the founder and owner of Enetics Networks, a leading IT consulting firm that provides secure, best-in-class, enterprise-level network solutions to businesses of all sizes.