HIT Think

How healthcare IT executives can better control ‘shadow IT’

Register now

Think Shadow IT isn't a big deal? Consider the following.

According to data from Microsoft, more than 80 percent of employees admit to using unapproved SaaS apps for corporate purposes.

Research from Cisco suggests that 15 to 25 times the number of known cloud services are purchased by employees without IT involvement.

These are just two examples of the quiet, but pervasive, existence of shadow IT in enterprises today. Although the name “shadow IT” sounds like something that might appear in an espionage novel, it is very real and very alarming, as we discovered in gathering material in researching a white paper for ISACA, entitled Shadow IT Primer.

The research included interviewing business and technology professionals whose responsibilities include IT operations, audit and security, and who deal with shadow IT on a regular basis. Their insights and real-world examples provide a perspective that is not reflected in other articles on the topic.

Shadow IT can be defined as applications and services that are used within an enterprise without having been reviewed, tested, approved, implemented or secured by the enterprise’s IT or information security function. Or, as one of the professionals interviewed put it: If an IT executive wants to know what specific and timely functionality employees need but which an organization is not currently providing, take a look at the shadow IT that staff are using on their own.

Employees are at the heart of shadow IT; they’re not trying to be sneaky, and they’re well-meaning, innovative employees. They want to do a good job but are hindered by a lack (or lack of awareness) of the tools they need. They are drawn to shadow IT’s usefulness, which they can generally acquire and start using in minutes by skipping the IT department’s vetting process.

This seems fairly innocuous, so why do organizations care about shadow IT? Because those applications can enable significant data breaches, which may result in substantial financial loss. In addition to the obvious security risk, the threats associated with shadow IT include regulatory noncompliance, inadequate or unenforced policies, and reputational damage.

Many organizations have found that a range of approaches to address the risk is more effective than a single solution. A few of the controls used by the professionals contacted to research ISACA‘s publication include:

  • Enacting a shadow IT policy that outlines expected behaviors.
  • Transitioning the IT department from detection and punishment to acceptance and protection.
  • Using IT budgeting and procurement controls to shut down unapproved purchases.
  • Restricting users’ ability to freely install applications.
  • Educating users about the potential risk of shadow IT and the existence of an approval process.

In ISACA’s white paper, these controls, and others, are fleshed out with implementation criteria and assessment methods.

Control does not necessarily equate to elimination of risk. In fact, many organizations are taking an “embrace” rather than “eliminate” approach to shadow IT. Of course, sometimes it is necessary to pull the plug—no matter how beneficial an application may appear, if it shows potential to harm an organization, it must be shut down immediately. The risk is too great to do otherwise.

But, even in an “eliminate” situation, there is room to “embrace” as well. A progressive approach entails realizing that, although a particular application needs to be dismantled, there is benefit in considering the problem the application is attempting to solve and empowering the IT function to find or build a safe and secure replacement—right away.

It is reasonable to assume that every organization has shadow IT, given the ease and relative affordability of acquiring it, coupled with staff’s desire to fill needs or leverage opportunities with minimal delay. Savvy organizations recognize this and mine the potential benefits, while managing the associated risk.

(This post originally appeared on the ISACA blog, which can be viewed here)

For reprint and licensing requests for this article, click here.