Shadow IT – the unauthorized acquisition and use of hardware and software – has long been a thorn in the side of IT professionals and, according to research can account for 30-50% of spending in a large enterprise. Growing cloud adoption and the explosion in hybrid working practices are further exacerbating the issue. IT teams already fielding numerous technology requests, are now faced with growing cybersecurity threats, rising costs and reduced tech availability, and many are struggling to respond.
The average IT project backlog is 3-12 months according to Economic Intelligence Unit, and users, it seems, are unwilling to wait for tech. 55% of respondents said business units already do more than IT to procure or develop new applications. In 2022 a hybrid workplace trends report found that 32% were using unapproved collaboration tools.
IT teams must become more agile to reduce the backlog, and more responsive to business needs. They also need to remove the risks posed by shadow IT in the estate today. There is a way, however, to turn those risks into opportunities.
End user education
Start with educating users on the risks of not going through the proper channels to acquire technology, including:
- Security risks: If IT doesn’t know what is being used, it can’t be secured. Data, including end user data, could be exposed. Cybercriminals are creatively finding ways to exploit unprotected devices and software. Shadow IT increases the attack surface, and any data breach can result in a large fine. A report found 54% of companies considered themselves significantly more at risk of a data breach following the explosion in Shadow IT due to COVID.
- Governance risks: The company could be in breach of regulations by not handling data in the correct way, or by underestimating product licenses. You could also lose data altogether if an employee using an unauthorized application or device leaves the company.
Education is just one step. You should also identify any unauthorized hardware and software installed or being accessed by users.
Identifying shadow IT
- Discovery: Leverage endpoint discovery tools to identify unauthorized software installed on devices, and your SaaS management, cloud access discovery broker (CASB) data or other cloud discovery tools to identify what’s being accessed in the cloud. Run network scans to identify unsanctioned hardware connecting (or attempting to connect) to the network
Note: These searches are unlikely to find everything, and network scans can only identify devices accessing the network when the scan is performed.
- Pull in data from other tools to understand information such as who is using a particular application and compare to policy data that provides information about authorized users.
- Survey end users, asking them to confirm or add details about the hardware and software they rely on for business purposes.
- Identify anything not sanctioned by IT from that list, decide what you will support going forward, and take steps to protect those assets.
Turn risk into opportunities!
With this data in hand, you can now use it to reduce risks and potentially reuse technology to meet needs in other areas of the business:
- Right-size software licensing: Are there any opportunities to cut costs using group licenses? Or do you need to purchase more to ensure you aren’t risking fines? Your inventory can inform decision-making here.
- Identify assets to support going forward: Clearly anything you decide to support will need to be properly secured within the IT estate. But are there opportunities to rationalize apps and meet the needs of the business with less cost? Compare new application features and survey teams to identify their needs. By working with them you can define what you support going forward.
- Reuse tech to meet other business units’ needs: By identifying the value of new applications, you can assess them against the needs of other business teams and roll them out to others, both to enhance the user experience and to limit the spread of shadow IT further. Similarly, if there are any unused devices out there (given the exercise to equip employees in 2020, you may have a surplus of machines that either weren’t distributed, were returned when users came back to the office, or are still in the possession of users that have since returned full time to the office), and you are planning an OS update, you may be able to recoup/upgrade it to Windows 11 before redistributing.
Communicate decisions to teams:
- If any users are working on unregistered devices, work with them to either register their device within your BYOD policy or assess their needs for a company device.
- Explain the need for application rationalization and educate teams on the apps you’ll support going forward and how they will meet their needs.
Manual processes create challenges
If addressing shadow IT issues manually, the time and effort it will take will likely increase your project backlog. This is because of the number of disparate tools you use to access data from and the time it takes to aggregate and normalize that data manually. Add time spent pouring over that data, line by line, to identify unsanctioned hardware and software and more time required to survey end users to gain their input, and you’ll fall further behind in meeting the needs of the business. If IT project backlogs get longer, shadow IT will continue to flourish.
Leverage automation to tackle Shadow IT and turn risk into opportunities
For IT to align itself with business needs and reduce project backlog, teams must gain new agility. This can be achieved leveraging a digital platform conductor (DPC), a tool highlighted in four Gartner hype cycles.
A DPC connects to your disparate IT management tools, including endpoint management and SaaS discovery tools, and automates data aggregation and analysis. It then uses that data to trigger automated workflows.. Using a DPC you can gain real agility to tackle Shadow IT and:
- More easily identify unsanctioned hardware and software using a holistic asset inventory updated in real time.
- Augment data provided by discovery tools with other IT estate data. For example, see which users are accessing unsanctioned hardware and software so you can work with them to align with their needs and make decisions on the assets you support going forward.
- Automate end user communications, including education programs and surveys leveraging customizable templates.
- Automate the rollout of security patches, streamline application aggregation, and the process of registering devices to secure hardware and software.
By leveraging a DPC to tackle shadow IT you will not only reduce the cost and risks that shadow IT creates, but you can also refocus your team on other tasks. Use a DPC to cut project backlog, enhance user productivity and the user experience by also becoming more agile in the delivery of new technology.
Book a demo to understand how ReadyWorks, a DPC, can streamline your response to shadow IT and help you turn risks into opportunities.