woman holding up hand to indicate person should stop
PHOTO: Nadine Shaabana

When employees use unauthorized applications to get work done, it’s commonly known as “shadow IT.”

Shadow IT is becoming an increasingly pressing issue as the cloud has provided easy access to SaaS tools, many of which are offered as freemium models. IT departments aren’t just finding small pockets of users, they are now finding entire departments or business units, leveraging unauthorized applications (a 2017 Gartner report estimates 20 to 50% of organization spending on applications is unknown by IT departments).

Shadow IT invades an organization for multiple reasons. Users may simply be more familiar with another application or often times authorized tools aren't providing a functionality they need.

These users are just trying to get their jobs done. But while there isn’t malicious intent, shadow IT can have severe consequences for organizations. Since these tools are unauthorized, the data within them is not secured by IT nor is it managed according to the industry regulations the organization must follow — meaning data leaks and exposure of sensitive information is just a matter of time.

Organization's have tools and methods at their disposal to help reduce and eliminate this unauthorized use of shadow IT. However, there is also a way to put an end to shadow IT that respects people's needs for functionality and access to information.

Below we'll explore seven best practices to stop shadow IT in its tracks.

1. Assume you have a Shadow IT issue. Now find out how extensive it is

An easy first step that will not create alarm in your organization is to begin monitoring your network and email traffic for domains of known collaboration platforms. An organization using Office 365 for instance may search for Dropbox, Slack, Box, and other common storage and collaboration tools to find what people may be using.

If it becomes obvious that specific groups of people are using such tools, you may want to start communicating with them to understand why. They may be unaware the tool is unauthorized or they may have business needs authorized tools aren't meeting.

Related Article: Bringing Shadow IT Into the Light

2. Communicate with organizational leadership to:

a. Inform them which teams are using shadow IT

This should be done in a positive format: you are not tattle-telling, you are doing your job and informing the business of a risk to be mitigated. When communicating with leadership, it’s best to have a few helpful solutions in mind so you’re not just coming to them with problems. However, if any regulations or sensitive information are involved, immediate action may be necessary.

b. Determine where the information currently in unauthorized tools should live within your platform

You will need to come up with a plan to determine where the information shadow IT users have been storing and sharing externally should live within your authorized applications.

In rare cases where the functionality is needed but no currently authorized tools offer equal capabilities, you may decide or be forced to go back to the organization to have additional technology reviewed for authorized use.

This should be avoided if possible as it will add cost and burden to IT’s application management.

c. Begin planning productivity solutions for end users

You will also need to replace the functionality of the unauthorized applications and provide people with as many viable, approved alternatives as possible.

In some cases, people may simply have to go without. However, know that putting in even a little effort to make their lives easier, as well as helping them understand the organizational risk posed by Shadow IT, can make things go much more smoothly.

3. Help people overcome challenges with current platform through training

If possible, before immediately cutting off access to any shadow IT platforms, help your users by solving as many business use cases as possible through context-based training. Have a plan for rolling out training, and clearly communicate any cut off dates that will be part of the transition.

Related Article: Cloud Storage, Shadow IT and the Real Question to Ask

4. Offer a feedback channel. Request content be moved into the desired platform

Provide an easy communication path for people to participate and provide feedback. Let them know they can move their compliant/in-policy information into your authorized platforms and that the organization is working to help them try and meet their needs with existing technology.

5. Begin working with people to transition their content

It will be important to run some data discovery process to understand how much data and what kind of information people have been working with in unauthorized platforms that will need to move into your authorized platforms.

Additional tools to scan the content in question may be necessary, but it depends on the kind of work people were doing. After a short analysis you may be able to simply migrate the information into your authorized platform. You'll also want to plan on potentially moving groups of people in phases, and work with stakeholders on the how and when this can and will happen.

Related Article: Shadow IT Isn't Going Away – and That's a Good Thing

6. Move applicable content into appropriate and secure collaboration workspaces

Once you've done some discovery and worked out a transition path with stakeholders, you can then begin the actual migration phase of the project. Using a tool specifically built for cloud migration can make this a simple and rapid process.

7. Set an end date and end network access to shadow IT platforms

Once your data has been moved, to prevent further access to unauthorized tools, you should begin restricting those URLs. If possible, you may want to do this in a phased approach, and ensure your communication channel remains open.

Even with lots of training and restricted URLs, you may find people will still push the boundaries to do what they need.

It can be frustrating, but remember this is typically happening because people don't feel like they're getting what they need from the organization to begin with. Training them how to do what they need to do with existing tools and advocating on their behalf to the organization will show them you're on their side.

Helping them be as productive as possible will make you the IT hero who can save the day from shadow IT!