What is Shadow IT?

SHADOW IT IN COMPANIES – WHAT IS SHADOW IT?

17.02.2021 – Dr. Eckhard Herdt

What is Shadow IT? For many employees in companies, access to hardware, software or special web services is often not fast enough. The problem with these quickly available tools is that in many cases they have not yet gone through all the necessary IT security steps or are not supported at all by the company’s central IT department.

If this hardware or software is used anyway, it is called Shadow IT. Appollo Systems has taken a closer look at shadow IT in this article and explains it.

Shadow IT – what is that?

What are the risks with Shadow IT?

Shadow IT is always a security risk if the unsupported hardware and software deviate from the security guidelines of the official IT infrastructure. Furthermore, there is always the risk of unauthorized conflicts being caused in existing networks. Another problem lies in complying with regulations. As a result, corporate data can quickly get into circulation.

Shadow IT is a sensitive topic. While some are shy of taking the step to approve Shadow IT in fear of hindering the flow of information within organizations, others say that in today’s environment, adopting Shadow IT is inevitable. A good solution to deal with Shadow IT is to implement policies that create control to ensure careful use.

The most frequently used Shadow IT in the area of hardware includes the smartphone, USB devices and tablets.

Why do employees use Shadow IT?

Often the reason for shadow IT is the desire for greater efficiency. An RSA study from 2012 had once determined that around 35% of employees feel that the company’s security policies inhibit their work and that they therefore have to go other ways by means of shadow IT.

An example: An employee has found a better application than the one officially allowed. Because he can do his work better here, he shares it with his co-workers in the department and the growth of users increases. Thus, over the years, Shadow IT has also developed more and more rapidly. Of course, this also has to do with the fact that applications like Slack and Dropbox are also finding their way onto employees’ personal devices, as they can now be installed in just a few clicks. When these end devices are integrated into the company’s networks, this is referred to as “Bring Your Own Device (BYOD)”.

IT departments cannot ensure security when Shadow IT is used because they are usually unaware of its presence. Gartner predicts that by 2020, one-third of successful attacks on companies will result from the use of shadow IT. Nevertheless, one thing is clear: Shadow IT will not disappear overnight. Therefore, the better way for organizations to minimize the risk is to implement training and take measures to monitor and manage Shadow IT.

In general, it can be said that shadow IT is not dangerous itself, but data leaks and security gaps can quickly become a risk factor, and this does not only apply to internal company structures. According to the same RSA study, around 63% of employees send work documents to their personal email to work from home. This allows data to enter networks without the IT department being able to monitor the flow of information. Ultimately, the cost factor must always be considered with dual solutions.

What are the advantages of Shadow IT?

However, Shadow IT does not only have disadvantages. There are also some advantages to be mentioned. In most cases, Shadow IT can lead to quick solutions and significantly increase productivity in just a few minutes. In addition, acceptance increases when employees can choose their own applications.

A distinction should therefore be made between good and bad Shadow IT. A compromise that works well is when the IT department simply has to control the data and user authorizations for the applications. Since employees search for applications themselves, the IT department has more time to take care of its core tasks.

Shadow IT and Low-Code-Tools

Today, Shadow IT is far more common than management thinks it is. Cisco Systems estimates that there are around 15 to 22 times more cloud applications in circulation than are approved by the IT department. Shadow IT usually solves problems in the short term, but usually fails to become established in the long term.

At the same time, low-code tools are becoming increasingly popular. They promise that even non-programmers can develop applications without knowledge of programming language and thus create business applications on their own. A good way to create approved IT and relieve the IT department. But what if developers don’t trust the low-code tools enough and think they can do it better? This causes frustration in the departments and the move to shadow IT is close at hand.

This can certainly become a balancing act, because low-code is an efficient solution for limiting shadow IT. How can this be accomplished?

1. Gain the trust of the developers

It is important that everyone is on board. It is therefore essential to gain the trust of developers. This works by showing respect for their work and integrating low-code platforms with open API accesses that are also suitable for advanced developers and that ensure seamless integration into the existing system infrastructure.

2. Define permissions

Software managers must maintain control to avoid shadow IT. Authorizations should therefore be very finely distributed in access management policies. Many companies tend to go to two extremes here. Either they only authorize IT users for changes or they use IT as the highest instance of approval.

3. Promote collaboration and knowledge sharing

When companies use low-code tools, the background is often that they are looking for fast and adaptable solutions. However, this often already fails when different teams in the company come together. Here, it is important to promote collaboration by means of a collaborative platform for developers, users and stakeholders. In this way, users can directly develop working prototypes and these can be further optimized in collaboration with IT.

4. Documenting and reusing

It is important that all departments document the processes and disclose the use of the software. Everything that is not documented is unmanageable software. Only with documentation reusability can be ensured and handling can be trained. By means of graphical models, such as BPMN, DMN or CMMN, the process and the functionality of the application can be understood on a suitable low-code platform, even without external documentation.

5. Implement low-code culture

Companies should practice low-code. The more teams are able to master low-code and the more they are encouraged, the less Shadow IT becomes a problem.

Conclusion: Pushing Transformation with Low-Code and without Shadow IT?

The ever faster changes on the markets and the current situation around COVID-19 force companies to react flexibly to developments. Digitalization and the associated digital transformation are inevitable. However, there is a lack of developers who can create new applications for it. Instead of putting quick problem solving in the hands of employees with Shadow IT, awareness around low-code should be raised. Sure, it’s still important to invest in broad-based cloud technologies as well, but manual processes in particular can often be digitized much faster with low-code. Appollo helps you to find practical and direct solutions, completely without Shadow IT. Feel free to contact us!