The Pros and Cons of Shadow IT

In my last blog, I discussed Shadow IT and why it exists. But the question I’m posing today is whether Shadow IT is a good thing or bad thing. Back in 2016, Gartner predicted that by 2020 one third of successful attacks experienced by enterprises will be on their Shadow IT resources. Now in May 2019 and less than a year away from 2020, let’s take a look at the pros and cons of Shadow IT. 

The Benefits of Shadow IT 

‘Benefits’ is probably the wrong term to use when describing Shadow IT, as the upsides are few and far between. Immediacy is the major advantage – Shadow IT doesn’t make staff wait, it doesn’t restrict them or make them jump through hoops. Staff can simply get on with their current activity, rapidly and unhindered. This immediacy is like a drug addiction, it gives a rush of faux productivity, that masks the medium/long term impact. Content becomes siloed, knowledge not shared, processes not followed, and content not effectively managed or retained.  

The other perceived benefit is flexibility. Shadow IT offers the allure of being able to achieve more than can be undertaken with corporate software. This is of course a misconception, or at least should be, your IT team should be able to offer software that is versatile, rich, but yet still governed and corporately controlled. 

The Cons of Shadow IT 

While most are conscious of the need to keep information protected, security is rarely planned and sufficiently configured within Shadow IT systems. Often the information stored within Shadow IT isn’t secured at all, being easily accessed by anyone outside of the organisation.  Even when protections are in place, Shadow IT often allows corporate content to be shared with people outside of the organisation, potentially leading to embarrassing, or even damaging, information breaches. 

Rarely are controls in place across Shadow IT systems to change permissions as the user changes their role; leave the organisation or change departments and the chances are you will still have access to all of Shadow IT content from your previous role. 

If an organisation doesn’t know where its content is, how can it comply with regulatory legislation? Any organisation that allows a culture of Shadow IT cannot possibly know what information they have, where it is stored and who has access to it. How could a Subject Access Request possibly be fulfilled? With serious fines in place for compliance breaches, failing to clamp down on Shadow IT will likely prove very costly. 

The next issue presented by Shadow IT is that is erodes corporate knowledge sharing. With multiple systems and limited consistency, each member of staff is only seeing parts of the information picture. If your information is scattered across multiple disconnected applications, how can a member of staff effectively find the information they are looking for. While it’s not immediately apparent, Shadow IT effectively obscures significant portions of an organisation’s information, leading to hidden information silos, inconsistency, and duplication of effort.  

Essentially, the effects of Shadow IT can be critical for businesses. There’s always a risk of information getting into the wrong hands or being shared publicly. As an example, the new policies around GDPR made businesses change their ways last year in the way in which personal information was stored. What if personal information was accessed and leaked and policies were breached? 

Downloading software and resources without going through a formal process can also result in malware, security threats, viruses and potential attacks. 

The Conclusion 

All in all, there is no ‘real’ advantage in allowing Shadow IT to flourish – we’d recommend all organsiations taking steps to identify and limit it’s spread. 

Download our “6 Ways to Overcome Shadow IT” guide to find out how you can reduce the risk of security breaches.