The Growing Risks of Shadow IT within Organizations

Add Your Comments

In an organization “there are typically 5-10 times more cloud services being used than are known by IT,” according to Cisco Services senior director Robert Dimicco. These cloud services are brought into organizations without the IT department’s knowledge or approval.

But this tends not to be an act of intentional disobedience or rebellion. Staff bring in cloud services that help them and their teams solve problems, unaware that these applications could cause security risks.

These applications that exist within an organization and aren’t known by IT staff are known as “Shadow IT”, and they are an increasing cause for concern.

In a recent blog post, Dimicco drew upon his experience meeting with Cisco clients to identify some major risks related to Shadow IT.

To begin with, data security requires strong processes and controls that enable IT to track how information is being shared in the cloud. It’s even harder when IT doesn’t know what applications have access to data, making it more difficult to keep information safe.

Once breached, a company having its information stolen or sensitive information accidentally shared with people who shouldn’t have access, can ruin a brand’s competitive advantage, seriously hurt their reputation, and perhaps even put customers in danger.

Additionally, regulations in industries such as healthcare, finance and the public sector around data controls, retainment, and privacy can be hard to enforce without understanding how individuals and applications interact with data. Again, not even knowing what services have access to data leaves IT unable to implement data control policies that keep data safe and compliant with regulations.

Another risk is that certain services that comprise Shadow IT could vanish by going out of business, being purchased, or undergo a fundamental change to their service. Smart IT providers know to choose services that are likely to be around in the foreseeable future, or have contingency plans in case one service falls through. If a service suddenly stops, the company risks losing data, but also the functionality provided by these Shadow IT services.

Finally, there are financial risks – or more accurately, inefficiencies – given the amount of money staff could be spending on Shadow IT. For instance, Dimicco said he knew of one company that spent nearly a million dollars annually on Shadow IT. By buying services on an individual basis, companies are wasting money by purchasing duplicate cloud services, and losing out on being able to negotiate bulk contracts.

This all shapes up to make Shadow IT seem like a major hurdle for organizations. Even ones that are not implementing cloud computing are increasingly being forced to deal with many of the security implications because of their staff’s use of cloud services.

Implementing strict policies around what applications employees can use is one method of dealing with Shadow IT, but this authoritarian approach doesn’t sit well with many employees who are simply trying to be productive employees. Part of the solution should be to provide staff with the cloud services they need, but from approved vendors with the necessary controls.

Consultancy services such as Cisco’s Data Center Assessment for Cloud Consumption can help identify Shadow IT and areas where cloud services can be implemented securely and cost-effectively.

There are also software solutions from providers such as Skyhigh, FireLayers, and SkyFence that provide network security visibility needed to identify Shadow IT applications and set an appropriate course of action.

Shadow IT seems almost inevitable in most organizations as it becomes increasingly easy to deploy applications, and staff continue to want to do more. As IT service providers, it’s important to realize that these applications have the power to cause organizations harm.

Users often only resort to Shadow IT because they aren’t given the right approved tools, so it’s important for IT departments to work with help provide these solutions – often as a Software-as-a-Service applications – so that they don’t have to resort to other potentially dangerous services.

Add Your Comments

  • (will not be published)