Back in the early 2000’s, I was working as a consultant to a large tech company. Wifi was just getting fun and Apple had recently released their Airport wifi routers. The small Windows network was being run on BackOffice and the Macs…well, it was all hands-on, all the time. We were just starting to work with Remote Desktop but, really, nothing was being managed except the Unix environment (which was really just a glorified thin network anyhow).
And, while we noped out of wifi in the office, what we discovered was that there were pockets of Apple-loving users throughout the company who were stashing Airports in their desk drawers so they could have wifi <for whatever reason>.
They were Shadow IT before Shadow IT was Shadow IT.
We have all encountered those folks – the rulebreakers, the rebels, the ones who “know” more about security than the IT Admins. What happens when they start making life difficult for the MSP or the IT Administrator? How do we stop them from installing their own apps or circumventing your network controls? How do we keep our data and networks secure without being jerks? And where do we draw the line between being diligent, and being a cruel dictator?
The Dangers of Shadow IT
While they risk their own personal data, shadow operators put the business at risk. They cost the company money, they interfere with security efforts, they cause increased network traffic, they increase the workload of the IT Administrators, and they risk corporate data.
I’m reminded of an ex-client (you’ll hear why) who lost an employee. But before that employee left, he dumped all the important information into his personal Dropbox account and then, of course, deleted the Dropbox account from the company computer. As many times as I would try to shore them up with a Box account, where they could have more granular control and reporting, the client didn’t want restrictions on their employees… they would “never” hire someone untrustworthy (you heard the eyeroll there, right?). I’m not one to argue with a client, but neither am I going to leave myself open to accusations of negligence when the problem is Shadow IT.
Shadow IT is problematic. But as IT Admins, we often let it slide because we don’t see it as really harmful (we should, though). As an MSP, it could cause us to suffer real losses. Your job, though, as an IT professional, is to make sure your gold is in Fort Knox, and everyone understands why.
Protect the Network and Data
Your network and data (including your cloud resources and servers) are the gold for your company. You have to protect those - even if it makes users unhappy. So regularly scan for rogue equipment and weird network behavior. Keep a perfect inventory of network hardware and software. Create lists of permitted applications and use your policies to contain behavior. Don’t let users be admins. Keep your user and device lists clean and your company secure by offboarding immediately and completely.
Communication
Your IT policies should be available to all employees at all times. If you change an expectation, you need to send a notification to your coworkers. To be successful in protecting the technology, you have to communicate with and enlist the cooperation of your colleagues. This is a team effort. Everyone should understand what is expected of them and what they can expect from you and your IT team.
And, while we would much rather use agreement and handshakes and cooperation than punitive measures, your People Department should be sure that employees have signed the company’s AUP (Acceptable Use Policy) before being given their equipment.
Make Shadow IT Unnecessary
Although policies (both technical and contractual) are essential to combat it, the best way to avoid Shadow IT offenders is to make the “need” for them obsolete.
Are you doing enough? Are you taking care of your treasure trove of data? Are you securing the borders? Are you making sure you communicate all security expectations with the whole company? Are you using the tools in your toolkit to maintain a secure and frictionless computing environment? If the answer to all of these questions isn’t “yes”, you’re not doing enough.
Are you doing too much? Maybe you’re being overly controlling with your policies and profiles. Commit to loosening up a bit – maybe don’t control things that significantly reduce productivity. Do you really need to control the desktop wallpaper? Do you absolutely need to have a locked-down dock/taskbar? Think about the reasons behind your system management decisions. If it’s all about control, maybe that policy is doing more harm to the work environment than good. You want to make compliance easy for your users so they can focus on their job, not on the technology.
When you strike the right balance you become a partner to their success at work instead of the one wielding the big stick.
You can prevent Shadow IT but you have to be vigilant. And you have to be vigilant without making users feel like they need to sneak around in the shadows.
How are you discovering Shadow IT and what are you doing to prevent or mitigate it?