Dollars in the Dark: Solving for Shadow IT
Companies are spending a significant amount on shadow IT services and solutions they can’t see. As noted by Information Week, this so-called “shadow IT” accounts for 30-40 percent of IT costs for large organizations, and a recent study found that 77 percent of staff use third-party applications without the approval of IT departments.
The result? Organizations are spending dollars in the dark as users look to avoid IT scrutiny and leverage the apps they want. How do companies manage the costs and consequences of technology in the shadows?
Sight Unseen: Shadow IT Basics
What is shadow IT? According to Gartner, “Shadow IT refers to IT devices, software, and services outside the ownership or control of IT organizations.”
Put just, it’s the difference between applications and services approved by your IT teams and the everyday storage and workflow apps used by employees to get their jobs done. Shadow IT can take many forms, from new video editing tools to open-source applications and free software demos.
While unsanctioned use of IT services has always been a problem for technology pros, the scope of shadow IT has grown in tandem with the use of cloud-based corporate services. It makes sense: As employees find themselves empowered by mobile and IoT devices in their personal lives, they expect the same level of usability and functionality across corporate tech solutions.
But understandable security concerns from IT pros often frustrate user desires, in turn driving a kind of cloak-and-dagger culture: Users stop asking permission and instead ask forgiveness when infosec teams discover they’ve downloaded open-source cloud storage applications, productivity solutions or collaboration tools.
For C-suite executives, shadow IT creates a blind spot: While productivity may rise over the short-term as the staff uses the apps they prefer without oversight, spending goes similarly unchecked. Even more concerning? Unexpected security breaches that stem from unapproved apps accessing corporate data or using network services without IT oversight. Best case? IT experts catch these problems early and must spend time remediating the impact. Worst case? Compromised systems, stolen data or long-term network damage.
Where’s the Risk?
Visibility is key to effective IT security — as noted by Dark Reading, 87 percent of IT professionals say limited visibility can compromise security efforts.
Shadow IT naturally removes visibility. While IT teams can track down unsanctioned app use across corporate networks, this often takes time and effort they can’t spare, leading to a catch-22: Not searching for unsanctioned apps puts enterprises at risk, but diverting resources from other IT efforts to find these users and applications presents the same problem.
In practice, shadow risks can take multiple forms including:
• Data Breaches — If unsanctioned apps contain undiscovered flaws, they could be exploited by attackers to compromise networks without warning.
• Reduced Network Performance — Applications running without IT approval aren’t assigned network resources. The result? Performance problems when bandwidth usage doesn’t match expectations.
• Compliance Concerns — As noted by GCN, more than 90 percent of organizations have undetected IoT devices and networks that are separate from their main infrastructure stack. The problem? Compliance expectations still apply — even if companies are in the dark — leading to potential compliance failures, sanctions or fines.
What Does it Cost?
Along with security risks, shadow IT also comes with substantial cost consequences. The irony? In many cases, app and service restrictions are put in place to limit potential overspend — but when allowed to operate in the dark, shadow services can quickly burn through IT budgets.
Specific costs include:
• Duty Duplication — When staff all use their favorite document sharing or collaboration utility, organizations lack centralized data about what tasks have been completed and which are still on the docket. The result? Duplicated work and wage costs that would be better spent elsewhere.
• Limited Efficacy — If IT and staff don’t communicate about apps and services, production invariably suffers when users encounter technical issues. Since they can’t ask for help because their preferred option is flying under the radar, problems are either fixed with slipshod, self-service solutions, or apps are abandoned in favor of new software options, leaving behind unfinished work.
• Spend at Scale — Many popular productivity tools are now available as SaaS solutions that sell user “seats” at scale to organizations. When business units buy their own versions of software without consulting IT, the result is unnecessary overspend on small-group seating; large-scale investments typically scale up to meet corporate demands.
• Long-Term Utility — How long will apps last? IT professionals are often in touch with technology trends — such as the move to remote work applications, two-factor authentication, and on-demand connectivity — allowing them to select products that offer the best long-term value. Circumventing this process comes with a price as services are phases out by newer offerings.
• Audit Issues — When shadow IT outstrips corporate awareness, audit costs can quickly pile up. These may come from vendors concerned that staff are using licenses without permission or may be driven by regulatory bodies evaluating compliance with legislation such as HIPAA or GDPR. Here, hidden services could cost millions in fines or reputational damage.
How can Companies Light Up IT?
While it’s tempting to think of shadow IT as an invariably negative consequence of the expanding technology market, there’s an inherently positive aspect: Staff curiosity about new apps and services means they have a vested interest in being part of corporate IT decision-making.
How can C-suites light up historically dark shadow deployments? Start by changing the conversation. The “traditional” method of IT ticketing and response — of having users wait on IT for days or weeks — is no longer viable. Now, companies must cultivate conversations with staff: What applications do they like? Which are frustrating? What features do they wish were included? And most importantly: What apps are they using now? By separating curiosity from consequence, users are more likely, to tell the truth, in turn empowering IT to find secure options that meet employee needs.
Also critical? Fully managed monitoring and reporting. To ensure changes are both cost-effective and help evolve business outcomes, organizations need security information and event management (SIEM) tools that unify real-time network and end-user analytics to deliver improved visibility and help track the positive impact of shadow IT strategies.
ArmorPoint’s full stack detection and response combine
cutting-edge data collection with in-depth managed security expertise to help
your IT teams discover — and diminish — the dollars you’re spending in the
Ready to shine a light on shadow IT? It’s time
to Armor Up.
ArmorPoint is a security information and event management solution that provides a cost-effective and reliable way to continually protect your business from emerging threats. Through its customizable service pricing model, ArmorPoint’s cost-effective packages and dynamic levels of expert management support the security strategies of all companies, regardless of available budget, talent, or time. And since ArmorPoint offers 24/7 security support with a team of dedicated specialists, they can provide you with the manpower you need to expertly manage all of your cybersecurity initiatives. See how ArmorPoint can make a difference in your security posture with a risk-free 30 day free trial.