Connecting Shadow IT, Security and Innovation

eWEEK DATA POINTS: While shadow IT isn’t a new phenomenon, it has definitely grown more complex and more difficult to manage since the pandemic forced organizations to quickly adopt new work-from-home policies.


Shadow IT continues to spread like a virus in organizations across the globe, and COVID-19 has only made it more challenging to track and eradicate. 

Shadow IT, sometimes known as stealth IT, refers to systems and devices deployed by employees without the approval or knowledge of the IT department. While shadow IT isn’t a new phenomenon, it has definitely grown more complex and more difficult to manage since the pandemic forced organizations to quickly adopt new work-from-home policies. The fluctuating work environment has exacerbated the shadow IT problem, because many employees are using personal apps and devices to get work done faster and more efficiently than they can with company-provided IT tools. 

While companies still face a variety of security challenges, Shadow IT is still very much a threat to data privacy and security, and without strict policies in place, it can go unchecked. In fact, the McAfee Labs Threats Report: November 2020, found that over the course of the second quarter of 2020, McAfee’s global network of more than 1 billion sensors observed a 605% increase in COVID-19-related attacks, compared to Q1. As corporate IT teams contend with a growing threat landscape, making sure employees are following company security policies–which is especially important in highly regulated industries such as finance, health care and life sciences–is critical for ensuring a holistic approach to data security.

In this eWEEK Data Points article, Stéphane Donzé, CEO of AODocs, presents the case for managing Shadow IT in a manner that does not create additional security risks or overwhelm IT staff, while simultaneously embracing newer cloud-based applications to drive innovation.

Data Point No. 1: Avoid ‘internal workarounds’ by adopting applications people are familiar with and like. 

It should raise red flags when employees start using their personal devices and favorite apps during the workday. However, with so many companies still employing a WFH policy, the effort to constantly monitor app usage via employee monitoring systems can be intrusive and can backfire. These workarounds also present a great opportunity for organizations to capitalize on this trend to innovate. 

Companies that embrace modern cloud-native tools that many employees are already familiar with, such as Slack and G Suite, can complement internal IT to empower employees with the team collaboration tools they know and love to use. Rather than trying to shut down these “rogue” apps and devices, executives and IT decision-makers may want to consider embracing the value that cloud-based collaboration tools can bring to the workplace. The key is to establish security policies and robust controls that will protect sensitive content and meet data privacy regulations and compliance mandates while empowering workers with superior capabilities and services.

Data Point No. 2: Leverage the innovation of consumer products.  

Many of the cloud applications and tools we currently use for work got their start in the consumer market. Consider the likes of Gmail, Google Maps, smartphones and even file-sharing systems like Dropbox, which are now ubiquitous and invaluable in both our personal lives and in the office. Enterprise software tools are no match for consumer tech from both an innovation and ease of use standpoint, and because of this, Google Drive and similar tools provide a much better user experience and performance than legacy enterprise systems and applications. 

When teams are able to use these more agile, cloud-native applications to manage their documents, meetings and communications more efficiently, they’re able to spend more time working on tasks of higher strategic importance. In addition, enabling smooth and seamless collaboration has proven to be a positive catalyst for change–it’s just a matter of monitoring and controlling these applications.

Data Point No. 3: Update security policies that address Shadow IT and WFH.

Companies must stay on top of the increased threat landscape by updating security policies to address what will be our new normal for some time to come. Until now, IT and executive leadership teams have mainly focused on external threats, however, unsuspecting employees are growing hacker targets. Conducting regular company-wide training initiatives should include best practices on using unauthorized devices and applications, avoiding suspicious links and email phishing, and protocols for reporting security threats. Ironically, some apps used by employees that would fall into the category of Shadow IT are quite secure (but many are not). 

Large public cloud providers, such as Google and Amazon, employ dedicated vulnerability management, malware prevention and monitoring teams to ensure they can provide as highly secure platform businesses. Google also utilizes multiple antivirus engines in Gmail and Drive as well as on their servers and workstations to help identify malware that may have been missed by other antivirus programs. If the applications employees introduce are already secured in the cloud, IT departments can spend more time on patching and maintaining software/systems and ensuring remote teams get the help desk support they need to remain productive.

Data Point No. 4: Adopt a “data first” culture by enabling the free flow of content between employees. 

Once IT teams are able to manage the growing Shadow IT threat, organizations are better positioned to focus on a “data-first” company culture. Secure, cloud-based collaboration is revolutionizing digital workspaces and completely changing how employees collaborate on content internally as well as outside of the organization. Gone are the days of managing multiple versions of files for tracking and reconciling input from multiple content contributors. The new digital workplace enables workers to enforce security and control when collaborating on documents, regardless of who the contributors are. This new data first culture will result in better version control, security and ability to meet compliance mandates because only one copy of each document exists, resulting in far fewer data silos, which are the nexus of information chaos.  

If you have a suggestion for an eWEEK Data Points article, email [email protected].