This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

How to investigate, identify and eradicate shadow IT

Share this article:

Shadow IT is an ever growing trend and one that can have a very real impact on a company's data and reputation, departmental spend and efficiency, and even its position as an IT leader.

Employees increasingly want access to 'any service, from any device, at any time and from any location'. This typically results in staff procuring their own ungoverned and unauthorised IT services; including storage solutions enabling them to upload sensitive company documents in order to work from home or share files with colleagues and clients.

A lack of complete governance of company data is a risk that can result in security problems, data loss, compliance breaches, accounting and tax complications, support problems or privacy rights.

It can also mean unpredictable costs, over-spending and even duplicate spending.  Multiple studies have shown that as much as a third of all IT spending is taking place outside the IT department (TechRepublic, Network World & Enterprise CIO Forum).

Although the impact that consumerisation of IT can have in the corporate context cannot be completely stopped, it can be managed and controlled. These are some top tips on how to get ahead of the very real headache that is shadow IT:

1.    Where to start – admit that you have a problem

You should have data points that demonstrate you have a problem and what factors are contributing to it. You should have some business intelligence around why you have a shadow IT problem and its potential scope and scale – this will all help in solving the problem. The first thing to understand is the drivers for your current situation, whether it is cost or lack of controls leading to too much user-level flexibility.

2.    Investigate the situation

Issue a full audit to understand where your risks are and where costs are being incurred. Without knowing the full picture, you cannot start identifying the problems and their solutions. So once you believe that shadow IT exists within the organisation, the first step is to understand its nature and scale. This will enable you to focus your efforts in the most efficient manner to regain control. Typically, the business intelligence is already available to you, be that in the form of expense claims made by staff on credit card expenditure for cloud services or purchase orders through the procurement systems to IT service providers or requests to support new software or devices that were not raised by the IT department. To find other sources, you need to think about what form the shadow IT might be taking, and asking your employees to help identify any additional IT support systems they are using, such as Amazon, Dropbox, RightScale or SFDC (if not the corporate CRM system).

3.    Identify the reasons behind the problems

Understand the nature of the shadow and why it is present. Harvesting this information gives you insight into the financial scale and nature of the problem and the source. From this foundation, you can then set about understanding the business drivers for your current situation - why there are particular shadow IT needs and what the alternative solutions are - providing that the existing corporate solution does not support the need. Once you have established this then you can make a decision regarding your solutions that will resolve the problems and what you are going to offer as an alternative to support the business drivers and user requirements. Most importantly in this stage, accept that requirements exist that corporate IT is not addressing effectively. This perspective will help you to understand the business rationale for going outside of the corporate IT governance model and the delivery gaps within the corporate IT function.

4.    Eradicate the shadow – which route to take?

Once you know the causes of the problems, then you can start to resolve it. Furthermore, you need to decide on the best way to tackle the problems - there are several routes you can take:

·       Ban it - however, this can be unrealistic and cause a drop in motivation and efficiency levels

·       Provide a ‘corporate' alternative - provide a storage platform that's secure, compliant and private

·       Accept it - but build a corporate procurement relationship and rules for usage.

5.    Implementing the changes

Now that you know how you are going to solve the problem, you need to deliver the solution. One of the big questions should be, ‘who is going to deliver the changes'? As communication was probably key to the problems in the first place then teamwork is certainly going to be vital in overcoming them. A governance structure should be established, involving representatives from compliance, finance and IT departments. It might also be an advantage to have a stakeholder from each of the other divisions – this should guarantee that employees continue to collaborate with the IT department and fully understand the necessity of the changes.  

6.    Moving forward – communicate and educate

Depending on your approach to the problems, different levels of communication and training for your employees will be required. The new approaches and procedures will need to be communicated – including the advantages and disadvantages and the long term consequences. All users will not only need to be informed of the changes, but re-educated and trained in how to adopt them into their everyday working life.

7.    Long term success – manage and evaluate

Your action plan may have solved the problem in the short-term but it is important to make sure that the compliance practices continue and that the company's efforts to affect change were not in vain. It isn't always easy for people to change the way they work, and they may now have to wait longer for IT support. However, there are ways to monitor this - use the team that delivered the solutions as your central hub of control, combined with continuous evaluation and broader engagement with the business and management through user groups and satisfaction surveys. It is also essential to look out for any new problems that may emerge - only then can you hope to keep the shadow IT at bay.

Tim Cox is CTO at ControlCircle

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in Opinion

Insiders can use whistleblowing tools to steal data without a trail

Insiders can use whistleblowing tools to steal data ...

The tools exist to by-pass many data leakage programmes and facilitate mass exfiltration of data, so enable internal whistelblowing - to avoid external access says Edward Parsons.

Know thy neighbour: Dealing with third-party cyber attacks

Know thy neighbour: Dealing with third-party cyber attacks

It'd not enough to protect your own network, you aslo have to be prepared to cope with third party negligence says Brian Foster.

The dungeon of the 'Deep Web'; where even the spiders dare not travel

The dungeon of the 'Deep Web'; where even ...

Charles Sweeney asks, are your staff inadvertently leaving the back door open via an innocent lunch-time browse?