News & AnalysisNewsletter

Rethinking Security in the Age of Shadow IT


As more and more business divisions pursue technology solutions independent of IT department, ‘Shadow IT’ – the term that explains the use of IT systems and solutions inside organizations without explicit approval from the IT department – seems to have become a norm. However, shadow IT continues to be a bigger threat for CIO/CISOs than it used to be in the past, especially at a time when stringent data regulation practices are on the anvil. In this context, it is interesting to understand how the shadow IT discourses is changing, and how CIOs can take a realistic approach to dealing with this complicated issue.

Shadow IT Peeps Through

Recent studies bring the current challenges of Shadow IT into the spotlight zone. A new survey by Dimensional Research argues that IT’s involvement in these strategic initiatives is beneficial. However, in reality, 50% of CIOs believe IT budgets are insufficient to deliver solutions at scale and report difficulties in achieving stakeholder agreement on important business initiatives. Conversely, 68% of business respondents do not see any challenges with the level of funding. Unfortunately, the rise of shadow IT is often a result of the perception that the IT department is slow, overly restrictive, or unresponsive.

This impasse is clearly reflected in the shared belief that a huge pipeline exists of unmet requests for IT solutions, requiring many months or even years for completion. Not surprisingly, business leaders undertake projects in the realm of “shadow IT” — without official IT support or even knowledge — have greatly increased over the last five years.

The problem will continue to escalate with Gartner estimating that 40- 50% of cloud and enterprise application consumption is already happening over uncontrolled and unaccounted for sources, as businesses can no longer rely on slow procurement processes from Central IT. By 2020, one-third of all cybersecurity attacks experienced by enterprises will be from their shadow IT resources. To further illustrate the potential cost, another survey by EMC has estimated that data loss and downtime cost organizations around $1.7 trillion a year.

Casting a Security Shadow

While shadow IT infrastructure can be created, and added to, by any number of individuals and groups within an organization on all types of devices, from laptops to mobile phones, and is often done with good intentions in an effort to improve their processes or efficiencies or for the sake of convenience, it poses a serious threat to data security.

In most cases companies are unaware of their use and hence do not know whether their data comes from secured sources or not. It is also capable of causing serious security risks to organization through data leaks and subsequently potential compliance violations for which ultimately the CIOs are held accountable. As Naveen Gulati, CIO at Girnar Soft noted, “There are inherent dangers in not involving the IT department in the purchasing decisions. The problem arises when line of business managers do not involve IT department in their tech decisions at all. In turn, the biggest mistake non-IT departments often end up making is around integration and security.”

Also, not all cloud apps are built and maintained with the same level of security and poorly-secured cloud infrastructures are highly susceptible to attacks. Those that have weak security mechanisms or are hosted on vulnerable systems are susceptible to data breaches. If a company uses such services to store sensitive information like customers’ personal and financial data, data breaches are inevitable.

The Gartner research also showed often, misuse or mismanagement by employees contributes to these risks. Inadvertent deletion of data, loss of login credentials, zombie accounts set up by former team members – can all heighten data exposure dangers and lead to unnecessary spending.

Moreover, recent data regulation regimes have posed new challenges for organizations, especially with the EU’s General Data Protection Regulation (GDPR) coming into force last year, and more legislations on the horizon, the uncontrolled IT shadow poses an even greater risk.

Sharing confidential information with a third-party, where the company has no consent to process their information, is a clear violation of the GDPR’s rules. Therefore, companies must now, more than ever, deal seriously with shadow IT or risk the consequences of being financially penalized under the new regulation as it may end up impeding the organization’s long-term digital transformation projects.

Turning the Focus on Shadow IT

Despite the many challenges of Shadow IT, experts believe, today it has reached a critical mass. Hence, the best and the only way to confront shadow IT is to deal with it.

Clear communication between business and IT is often highlighted by analysts as imperative for successfully launching innovative technology solutions and user experiences. The Dimension Data study recommended that shadow IT can bring value only if there is a constant communication between business and IT.

Promoting standardization is often seen as a vital step in taking control of your IT. Standardized solutions that are company-based, often solves the problem of shadow IT.

“To ensure synergy across tools and systems, companies must have clearly defined IT security policies that need constant reviewing and monitoring by the IT department,” Rajiv Gupta, Chief Technologist at Air One Aviation mentioned.

“With most GDPR fines expected to come as a result of poor data protection and breaches of confidentiality, business managers should be also provided with training and education to understand data privacy and its implications to their organization,” he said.

Experts believe that shadow IT is no longer simply a security risk of the IT department, but also one that can bring about severe financial repercussions to your business. To tackle this issue, CIO must collaborate with others in the C-suite (including HR manager) to implement workplace guidelines that focus on the important threats while educating employees about their responsibilities in the long term.

Leave a Response