Our experience with HTL and their IT support team has been fantastic. Contacting them with any IT problems we have is so convenient and all issues are solved quickly.

Adam Blinch, Low Carbon Consultant, Tuckers Consultancy Ltd.

The Trial of Shadow IT

A Necessity to Get the Job Done or an Unacceptable It Security Threat? You Decide.

Technology on trial

Shadow IT is the practice of using technology within a business without the knowledge or approval of the IT function. This includes anything from a single employee using a low cost app, to an entire department like Project Management adopting a cloud software application to support its Line of Business (LoB).

For some, this is an acceptable practice and a necessity to achieve the business objectives at hand. For others, it is wholly unacceptable and poses a serious threat to the organisation.

To help firms and organisations better understand the issues and take control, in this guide we explore the issues and examine the evidence by putting Shadow IT on trial.

Cloud Solutions for Shadow IT

Background to the case

Shadow IT has been with us for a long time. However, the nature of it has changed as computer-based technology has become more ‘consumerised’. Previously, it was a practice restricted to more technically minded workers.

Today’s computer technologies have never been easier to use, and the need for technical knowledge and aptitude has been pushed aside somewhat. Now, even those that have basic computer literacy are able to practice Shadow IT.

The conditions for the widespread growth of Shadow IT can be put down to a number of factors:

  • The speed at which new technologies come to market means business IT is often behind the curve and unable to keep in step with the latest advances
  • The trend for Bring Your Own Device (BYOD) has empowered employees to make their own choices about the mobile hardware and software they use for business purposes
  • The cloud, to which many, many apps connect has created an easy route for employees and entire departments to bypass internal IT policies, resources and safeguards
  • Employees under pressure to hit deadlines, achieve target and deliver results to support the business objectives of the company

The case for the prosecution

For the IT function, the real problem with Shadow IT is that it puts business data into the cloud in an uncontrolled manner of which IT has no knowledge.

Some examples of Shadow IT that are frequently encountered include:

  • USB flash drives or other portable data storage devices
  • MSN Messenger or similar online messaging software
  • Gmail or other online e-mail services
  • Google Docs and Microsoft OneDrive or other online document sharing
  • Skype or other online VOIP software
  • User-developed automation such as Access databases, Excel spreadsheets and macros

Data held in the cloud by these services is not governed by company policies. Essentially, data is ‘out there somewhere’ and the organisation does not know who has access to it, or the sovereignty attached to the data centres where it is stored.

Essentially, it is not just the IT department that has a problem with Shadow IT; the entire organisation may be compromised. Commercially sensitive IP, which may represent unique and significant competitive advantage, could be misused. Personally Identifiable Information, (PII), could be used for identity theft, hacking and fraud.

For regulated businesses this is very likely to constitute a compliance failure. Examples of regulatory codes that Shadow IT is likely to breach include:

  • FCA (Financial Conduct Authority Code of Conduct)
  • GAAP (Generally Accepted Accounting Principles)
  • ITIL (Information Technology Infrastructure Library)
  • PCI DSS (Payment Card Industry Data Security Standard)

The case for the defence

The reason Shadow IT is so popular amongst non-IT workers is that it is an enabler of productivity. It is widely used to fill in for perceived gaps in the technology tools centrally managed and deployed by the business for performing specific tasks and collaboration.

In a jobs market which is characterised by insecurity and with high competition for well paid jobs, anything that helps workers acquire a performance edge is an attractive proposition.

Employees are under pressure to hit deadlines, achieve target and deliver results that support the case for their continuing employment. The desire to be seen to be a good performer who helps the business achieve its objectives is strong.

In such circumstances, many find it difficult to resist the lure of Shadow IT, even though they suspect or know that it is in contravention of company policy. Consequently, many seek out alternative software and devices that helps them perform or improve productivity.

To practitioners of Shadow IT, it seems harmless. The response of the IT team is viewed as something of an over-reaction, because it threatens IT jobs and equates to a major assault on the ‘empire building’ mind set of IT departments that exists in many businesses.

Historically, IT and the wider organisation has been characterised as an ‘us and them’ situation. The negative response by the technology function to discovering the use of Shadow IT is often interpreted as an extension of this.

Summing up

In summing up the case for the prosecution, Shadow IT is something of a villain. It is highly questionable practice which leads to business data leaking into the cloud in an uncontrolled way, creating unacceptable risks for firms.

Summing up the case for the defence, Shadow IT has a heroic value, in helping individuals and departments to be more productive and efficient, likely helping the business to better performance.

The Verdict

The jury goes out but not for long…

In a straight analysis of weighing the potential threat against the benefit of Shadow IT, it seems clear that the risk of uncontrolled data leakage poses a serious risk with unknowable consequences.

Any net gain in performance resulting from Shadow IT, is likely to be short lived and limited in scope to the individuals or department in question. It is unlikely to be of mid to long term strategic value because it cannot be translated onto the rest of the business.

Once data is misused, there is a good chance that any benefit will be wiped out by the impact and ensuing fallout. For all organisations, steps should be taken to identify and shut down uncontrolled data leaks. In regulated firms, for which uncontrolled data leakage constitutes a compliance failure, measures should be taken ensure the organisation is in control.

If you are affected by the issues of Shadow IT, talk to HTL Support

HTL provides a range of services to support the use of technology in today’s businesses. Whether it is infrastructure and user support, internet connectivity or voice communications, we provide the high degree of personalised service. We are very proud to be able to say that we offer impartial advice because we are independent of suppliers, vendors and manufacturers. Ultimately this enables clients to obtain more value from business technology.

If you are affected by any of the issues raised by The Trial of Shadow IT, HTL Support services include cloud solutions which enable the problem to be tackled. For many businesses, the benefits of our solutions extend far beyond preventing the uncontrolled leakage of business data into the cloud.

About HTL Support

HTL Support was initially founded in 2009 by Managing Director Justin Dean, to provide specialist IT support and IT consultancy services to financial services sector clients. Since its launch, HTL has rapidly evolved to offer a full range of cutting-edge, integrated and flexible products and services to a worldwide client base across all industries. Our experience and professionalism has been endorsed both by our clients and by many of the world's leading hardware and software manufacturers.

All companies need to know that their IT support provider is not going to let them down when it comes to important projects. We will always find the right solution and are equally happy either functioning as project managers for your internal IT department or providing an experienced team to work under your own IT Director or project leader.

References and further reading

HTL Support
Countdown to resurrection - A step-by-step guide to Disaster Recovery in 20 minutes

HTL Support
Sold down the river by moonlight - Protecting business with productivity monitoring software

Shadow IT
From Wikipedia, the free encyclopedia