What is Shadow IT?
Table of contents: Definition – Examples – Reasons – Effects – Advantages – Procedure for identification – Integration in IT infrastructure – Download – Notes
Smartpedia: Shadow IT refers to the use of technologies and software applications by employees without the approval of corporate IT.
Shadow IT – the unauthorised use or development of technologies in companies
The term shadow IT was coined in 2009 by the market research company Gartner, Inc. It describes a situation in which employees use unauthorised technologies at the workplace or programme them themselves in order to optimise their work processes.
Although the employees’ intentions are positive, the unauthorised use of mobile devices, third-party tools, self-programmed applications, messaging services or cloud services can pose security risks. In addition, the support of the products used, which are operated outside the company’s IT infrastructure and policies, is not guaranteed. Users must therefore make a trade-off between the benefits of innovative solutions and the deployment risk of unauthorised use of technologies.
Shadow IT examples
There is a whole range of shadow IT examples. Below you will find a selection:
- Using private email accounts for work-related communication without authorisation.
- Using cloud storage services to share company files without the knowledge of the IT department.
- Accessing work-related apps or emails via private smartphones or tablets.
- Using private computers or laptops to perform work tasks.
- Using messaging apps to discuss work tasks.
- Use of unapproved software tools for data analysis.
- Use of unapproved software apps for video conferencing.
- Accessing company information over public Wi-Fi networks.
- Using unapproved browser extensions or plug-ins to increase work productivity.
The list of examples can easily be added to.
Reasons for shadow IT
There are several reasons why employees turn to solutions even though they are not whitelisted or officially approved by central IT:
- Employees use tools because they consider them to be more flexible, feature-rich or perform better than the solutions provided or approved by their company.
- Employees may lack knowledge that the tools they are using are unauthorised or pose a security risk.
- Employees are using new technologies to improve their workflows without waiting for IT approval or evaluation. They are deliberately creating facts or trying to get the organisation to integrate tools into the IT infrastructure.
- Departments or teams may have their own budget for technology, separate from the IT department. This can lead to the introduction of technologies without explicit approval from the IT department.
- Employees may refuse to use new IT tools or procedures imposed by the IT department. Instead, they prefer to use alternative solutions.
In addition, in many organisations it can be seen that staff are programming their own solutions rather than waiting for adequate provision or procurement from the IT department.
- IT departments may have a backlog of requests and are not able to deliver new tools or updates as quickly as needed by employees. They therefore develop their own solutions to meet their immediate needs.
- It happens that staff are not aware of the IT department’s plans for new tools or are not informed when new tools will be available. This lack of communication can lead to staff taking action and sourcing or developing solutions on their own.
- Employees have special needs or preferences that are not taken into account by the IT department. By developing their own solutions, employees have more control over the tools they use and can adapt them to their specific needs.
And last but not least, there are employees who find the IT department’s guidelines too restrictive and therefore take action on their own.
Problems and possible negative effects of shadow IT
There are a whole range of problems that can arise from the unauthorised use of technology by employees in organisations:
- Data security, data integrity and data protection are not guaranteed. The damage caused, for example, by a loss of data or uncontrolled access to internal company systems and/or data by third parties cannot be estimated, but it could possibly jeopardise the continued existence of the entire company.
- Processes may be established that contradict existing compliance rules.
- Both first and second level support are lacking, as there are neither internal company contacts for the technologies used, nor have corresponding agreements been made with suppliers or providers.
- The further development of self-developed applications is underestimated and ends at the latest when no capacities are available for this in the company’s daily routine or the programmers of the self-development leave the company with the corresponding knowledge. In addition, documentation is almost always missing for many in-house developments.
- With release changes, it is not unusual for interfaces to change as well. In order for the in-house developed programmes to continue to function in the IT infrastructure, this can lead to manual data migrations or interface adjustments. This endangers the overall performance of the company, as employees are not occupied with their original tasks.
In addition, shadow IT often results in isolated solutions that impair efficient interaction with other areas.
Advantages of shadow IT
However, shadow IT does not only have disadvantages or provoke risks. There are also some positive aspects that can come with the use of unauthorised technologies:
- New technologies often offer potential that companies may never have dreamed of before. When employees use tools without authorisation, they force their organisations to look at the benefits and potential more quickly than they might otherwise have done.
- Shadow IT solutions are often used because they offer immediate benefits to users and meet concrete needs. So, when in doubt, it pays to address the concrete needs of employees, as well as to incorporate new solutions or replace existing technologies.
- The procurement or use of shadow IT solutions often takes place without elaborate approval processes. It is thus also a signal to the organisation that employees are hoping for faster processes and, if necessary, a greater voice within the company.
- The freedom of employees to choose products or services themselves increases identification with the chosen solutions. This is also an indicator that employees should be actively involved in the “official” selection of suitable tools.
A process for identifying shadow IT
It is advisable to use a defined process to identify and manage shadow IT solutions:
- Organisations should first conduct an inventory of IT systems and applications and identify any systems or applications that may have been implemented without the knowledge or approval of the IT department.
- Appropriately identified IT systems and applications need to be assessed for potential risks. This should include aspects such as data security, compliance with rules and regulations and the impact on business operations.
- The next step is to assess the business need for each shadow IT solution: How important is the solution to business operations and what benefits does it offer compared to existing IT systems and applications?
- Ideally, the whole process should be done in cooperation with the stakeholders. It is explicitly about understanding users’ needs and concerns. At the same time, risks and benefits should also be discussed openly.
- Based on the findings, the risk assessment and the consideration of the benefits, a plan for dealing with the shadow IT solution should be developed. This may include integrating the solution into the company’s IT infrastructure, replacing it with a company-approved solution or discontinuing its use altogether.
- Once a plan has been implemented, the use of the shadow IT solution must be monitored and administered. If necessary, it makes sense to conduct appropriate audits on the use of new solutions.
Overall, identifying and managing shadow IT solutions requires a careful balance between promoting innovation and agility in IT operations while ensuring the security and compliance of corporate data and operations.
Other approaches to integrating shadow IT into the IT infrastructure
In addition to the process of identifying shadow IT solutions and developing a plan to deal with them, there are other options to reap any benefits while facilitating integration into the enterprise-wide IT infrastructure:
- Bring Your Own Device (BYOD),
- low-code development and
- no-code development.
BYOD allows employees to use their own devices such as smartphones, laptops and tablets for work-related tasks. This can increase productivity, job satisfaction and flexibility as employees can work from anywhere, at any time. However, it can also pose security risks if the devices are not properly secured and managed. Therefore, it is important that strict policies and guidelines are in place to ensure the security and confidentiality of company data.
Low-code development propagates the creation of an application with almost no programming by simply clicking together pre-built software modules. The application is created by employees of a specialist department who develop software although they are not software developers; in this context, the term Citizen Developer has become established. The use of low-code can increase efficiency and accelerate the development process, as employees can quickly create applications and adapt them to their needs. In addition, IT departments are relieved so that they can concentrate on more complex projects.
In addition to low-code development, there is also so-called no-code development, also known as click development or point-and-click development. It addresses the creation of applications without any programming by simply clicking together prefabricated software components. The idea of no-code comes from the name: “no code” is needed when creating an application. The code is already in the components, which can be selected and clicked together like in a construction kit.
Overall, BYOD, low-code and no-code developments can be beneficial for companies, as long as they can be integrated into the IT infrastructure. However, it is important to carefully evaluate and implement such approaches and solutions to ensure that they meet the needs of the business and relevant regulations and guidelines. In addition, low-code and no-code solutions are not suitable for all use cases and may not provide the same level of customisation and functionality as traditional programming.
Impulse to discuss:
What measures can companies take to effectively manage and monitor the use of shadow IT solutions by employees while promoting innovation and agility in IT operations?
Notes:
Feel free to share or link to the content on this page.
Here you can find a video about What is Shadow IT.
And here you will find supplementary information from our Smartpedia section: