We received a call from a client last week. Apparently, one of their employees had been sending emails to customers — several hundred at a time — using Outlook mail merge, a feature that allows a user to automate the sending of personalized emails to a list of recipients.
The feature works just fine, but it’s not intended to be used at that level of volume by an individual email account. Microsoft detected the excessive activity and shut the user down.
Interestingly, the employee was unaware their company has an active MailChimp account, a third-party service whose purpose is to do exactly what they had been doing with Outlook.
What Is “Shadow IT?”
We encounter this kind of thing regularly. A company enters a relationship with a vendor or approves a particular tool for internal use. But, and for various reasons, an employee goes around what has been officially approved and attempts to solve the problem or manage the process in a different way.
This so-called, Shadow IT manifests in any number of ways, including things like the use of free cloud services to store sensitive data, personal cell phones used to conduct company business, or paying for duplicative vendor services.
As to why it happens, sometimes employees prefer a service or technology that’s different than what the company has approved. Other times, as in the example above, the employee is simply unaware a better solution exists as part of an established vendor relationship.
Whatever the reason, Shadow IT is potentially quite harmful:
- Security Risks. Unapproved apps or devices may not have the same security protections as company-approved tools. This can make sensitive company (and customer) data vulnerable to hackers, malware, or leaks.
- Data Loss. If important files are stored on personal devices or unauthorized cloud services, the company may lose access to them if an employee leaves or a device is lost. Without proper backups, critical information could be permanently deleted.
- Compliance Violations. Many industries (e.g., health care, financial) have strict rules regarding how data is stored and protected. Unapproved technology can lead to fines, legal difficulties, or reputational damage.
- IT Support Challenges. The IT department (or outside firms like SMR) can’t avoid or fix problems with tools they don’t know about or control.
- Productivity Loss. A lack of uniformity across tools leads to scattered, non-standardized information. That makes collaboration harder and can lead to errors and confusion.
- Unnecessary Cost. If different parts of the company are utilizing duplicative services, the company may be paying more than necessary for a given functionality.
How to Prevent Shadow IT
Those are the problems with Shadow IT. Here are some recommendations for reducing its occurrence…
#1. Conduct Periodic Audits
The first step in reducing Shadow IT is to uncover where and when it’s happening. Fortunately, a great deal of detection can be done using IT tools you probably already have in place for other functions.
These include things like:
- Network Traffic Monitoring and Firewalls. Tracking internet activity to see which cloud services, apps, or web sites are being visited.
- SaaS Security Posture Management. Tools that both detect cloud-based applications and enforce security policies and block risky services.
- Endpoint Detection Software. Software installed on company devices that tracks which applications are being used.
These tools and others like them can alert your IT department to unauthorized activity.
And, since much of Shadow IT occurs as a result of employee unawareness, not intentional wrongdoing, surveying employees periodically to ask which tools, apps, and web sites they are using, can uncover much of what is going on.
#2. Share Information Broadly
Employees may be unaware of the security risks and other negative aspects of Shadow IT. They may even think they are saving the company money by relying on free services for certain functions. Periodic training sessions — and vigorous enforcement of company policy — can ensure everyone knows the importance of using only company-approved tools.
Further, employees should be kept informed regarding which tools and vendors are available to use. That can both reduce the likelihood of overlapping vendor accounts, as well as help employees become familiar with tools and functionality they may not have realized even existed.
#3. Provide High-Quality Tools
Employees may turn to Shadow IT because the officially sanctioned tools are too slow, too cumbersome, or too ineffective. By offering valuable, easy to use tools — and providing training on their use — you remove much of the incentive for employee workarounds.
Shadow IT Takes a Toll
The use of unauthorized tools and vendors can lead to significant, even existential, problems for a company. It’s potentially serious and needs to be managed.
But even absent some type of visible, catastrophic incident, Shadow IT can result in the ongoing “leakage” of productivity, profitability, and effectiveness over a period of months or years.
Take steps now to reduce its occurrence inside your business.