What is Shadow IT?
Shadow IT is a catch-all for any technology used within a corporate environment. The use of the technology typically outside the purview of the company’s “official” information technology department.
What are the Risks of Shadow IT?
Shadow IT may be quick, easy, and convenient for individual employees or teams trying to solve a problem. However, unapproved technology has some legitimate downsides.
First, shadow IT represents a massive security risk. Unauthorized applications or devices can open the door for all kinds of malware, footholds, and viruses. These can place the business at serious risk. Unauthorized access to data can negatively impact the company’s IT operations or products.
Shadow IT can run counter to compliance and regulations. Whether it’s GDPR, HIPAA, PCI, or some other relevant standard, non-compliant applications could result in major fines or lost customers. Moreover, they can lead to lapses in security or data integrity. Even their mere presence could lead to a company or product losing a critical certification.
Cloud-based applications also represent a significant shadow IT risk. If employees begin storing business-related information on these services or connect them to other systems via an API, the business no longer has sole control of their data. Without a clear understanding of each cloud provider’s own security defenses, protocols, backup and data recovery capabilities, and access controls, a seemingly harmless SaaS tool could open up the entire business to a potential security breach or compliance breakdown.
What are Some Examples of Shadow IT?
Many products and applications now commonplace within a corporate setting got their start as shadow IT. For example, when pagers and then mobile phones came on the scene, they were often not part of a company’s official IT offering.
This became more of an acute issue when mobile phones evolved into smartphones capable of running applications. Employees began independently connecting them to corporate services, such as Exchange for email and calendaring.
Other applications that frequently got their start as Shadow IT include cloud file storage and file sharing solutions, such as Dropbox and Box, and messaging and communication apps including Slack and Skype. Plenty of product development organizations also began using collaboration tools such as Trello and Asana on the sly. Some organization even consider Adobe Photoshop as shadow IT.
SaaS applications fall under the category of shadow IT. Yet, employees assume these application remain “safe.” Providing broad OAuth permissions to these applications creates security risks if abused by a bad actor.
Hardware also falls under the shadow IT umbrella. Employees using personal devices including laptops and smartphones as well as storage options such as external hard drives and USB flash drives are often doing so without the approval or awareness of corporate IT.
How Does Shadow IT Apply to Your Job?
As an employee, you should always adhere to your employer’s IT policies and avoid “going rogue” whenever there’s a new tool, app, or device you’d like to use within the corporate environment, be it on their network or their devices. It may feel like unnecessary caution, but countless breaches have occurred when employees take a “shortcut” and use shadow IT solutions, even when it’s a purpose-built, cloud-based roadmapping tool.
For individual contributors and team leaders desiring the ability to be nimble and use the latest technology and applications to do their jobs and deliver great products, it makes sense to proactively work with the corporate IT department.
Encourage flexible and lenient policies that allow for new additions to the IT department with minimal steps to get a green light. IT can save product teams through the streamlining of the approval process.
What Does Shadow IT Mean for Your Products?
Your IT department needs to have trust in your product in order to not label it shadow IT. This means your users are potentially putting themselves and their companies at risk by using them in a corporate environment without the appropriate permissions.
Obtaining each IT department’s blessing is ultimately up to the customer, but product teams can take a few steps to streamline this process and allay common concerns from wary IT project managers.
Ensure your product meets all applicable regulatory and compliance requirements:
This isn’t the most exciting use of development resources, but it’s often table stakes to get clearance by IT departments, particularly if there is any personally identifiable information (PII) used in the app or the client works with any healthcare, financial, or government data. Take the extra steps to get certified when applicable.
Ensure your product and entire supporting IT infrastructure undergo regular security scans and updates/patches religiously:
No product wants to be the root cause of any breach, so make sure your house is in order and these steps are part of the regular routine. Any security incident that gets traced back to your product can kill momentum and ruin reputations. Cybersecurity should figure prominently in your product roadmap.
Don’t capture/retain any data your product doesn’t need:
The more information an app collects, the more risk it takes on. Minimize what’s collected to what actually impacts the customer experience. Then take extra care it never falls into the wrong hands or gets exposed.
Create customer-facing documentation that answers key questions for IT departments:
The more proactive you can be, the less time you’ll spend completing their security questionnaires. Plus it might accelerate revenue if the client’s IT department finds your product and organization easy to work with.
Encourage potential customers to play by the rules:
Include IT approval as part of the customer journey and/or onboarding process to prevent any last-minute gotchas or your customer ending up in their IT department’s doghouse. The smoother things go with User No. 1 the better chance you’ll have of an expanded deployment and increased adoption.