Use of “shadow IT” – applications, tools, or services that haven’t been approved or secured by an organization’s IT team – has become more ubiquitous across organizations. But rather than banning the practice, enterprises should find a balance in regulating and allowing it, an ISACA primer released this week said.
Rounding up figures from various published reports, ISACA, a professional association focused on IT governance issues, found widespread use of shadow IT – amounting to as high as 80 percent of organizations according to some reports.
But the widespread use of shadow IT – which at times can pose a security risk – mostly stems from good intentions rather than malicious purpose, as employees tend to use unapproved tech to accelerate enterprise activities rather than wait through drawn-out vetting processes by company IT teams, ISACA said.
“[Shadow IT’s] use is often initiated by employees who see a need or an opportunity that is not currently addressed by the existing enterprise systems and who seek to contribute value to the enterprise by filling the need or capitalizing on the opportunity,” ISACA said. “Therefore, taking a stern stance against shadow IT can limit enterprise-innovation potential.”
Use of shadow IT has its dangers, including data loss, exposure of valuable or sensitive information, loss of brand credibility, and unnecessary management costs. While acknowledging those risks, ISACA said that finding ways of controlling and assessing shadow IT is better than banning it, given the positive intentions employees have in adopting it.
Having tools and procedures in place to discover the use of shadow IT is key, ISACA said. Manual methods, such as having IT professionals or internal auditors pose questions to employees to scan for and review shadow IT use, are effective. Also useful are automated tools like Cloud Access Security Brokers (CASB) that serve as intermediaries between cloud service providers – where many shadow IT applications begin – and customers to ensure secure and compliant use of cloud apps and services.
ISACA also suggested that organizations implement shadow IT policies rather than having no guardrails in place. It also favors adoption of IT budget controls to stop unnecessary expenditures of duplicative or stand-alone shadow IT, and IT consolidation to enable – but regulate – shadow IT use.
Creating controls and proactive procedures around shadow IT in user activity would also be effective, ISACA said. For instance, enterprises could adopt policies that restrict users’ ability to freely install applications. And they could monitor user activity, establish controls to restrict transfer of documents and data that contain sensitive personal or enterprise data, and educate users to raise awareness of threats and risks.
“To be successful in managing shadow IT, enterprises must find a balance,” ISACA said. “It is important to protect the enterprise by removing any technologies that threaten harm. At the same time, enterprises should explore new technologies, determine whether they fill a legitimate need with minimal risk and, if so, embrace their benefits.”