In every company, there is someone who "knows about computers" or is perceived that way by colleagues. When a problem arises, and reporting to external IT involves costs or waiting, that person simply resolves it. It sounds innocent. In practice, it's a serious problem that we encounter in companies.
What is shadow IT
Shadow IT refers to all tools, systems, and IT solutions used in the company without the knowledge and control of the IT department. The name is not accidental - it is the infrastructure that exists "in the shadows," outside of the official environment.
It could be an employee who installed their own software on their work computer because the company solution seemed too slow. It could be a team that started using a personal Dropbox for exchanging project files because it was more convenient. Maybe someone uses a personal email account because it was easy to do; emails can be sent. Or perhaps it's someone who simply "takes care of IT" in the company - solves colleagues' problems, configures new devices, sets permissions - because that’s how it turned out, and everyone is happy.
Each of these scenarios has one thing in common: the company loses control over what happens to its data and infrastructure.
Where shadow IT comes from
Shadow IT rarely arises from ill will. It is most often a response to real needs that official IT does not satisfy for some reason.
When IT support is billed hourly, every request incurs a cost. Employees begin to filter problems - the "unimportant" ones they solve themselves or ask someone from the team. Over time, that person becomes the company’s informal IT technician.
A similar effect occurs when official tools are cumbersome, processes are too slow, or when IT is not available when employees need it. People look for shortcuts - and usually find them.
Why this is a problem
Informal IT solutions can operate effectively for months or even years. This makes the problem hard to notice - and thus more dangerous.
1
Brak kontroli nad danymi. Jeśli pracownicy przechowują pliki firmowe na prywatnych dyskach, synchronizują dokumenty przez prywatne konta w chmurze albo wysyłają dane przez niezatwierdzone komunikatory, firma nie wie, gdzie jej dane się znajdują. Nie może ich zabezpieczyć, nie może ich odzyskać w razie awarii i nie może udowodnić ich bezpieczeństwa w razie audytu lub incydentu.
2
Luki w bezpieczeństwie. Oprogramowanie zainstalowane bez wiedzy IT nie jest monitorowane, nie jest aktualizowane zgodnie z procedurami patch managementu i może zawierać luki bezpieczeństwa. Jedna niezałatana podatność w nieoficjalnym narzędziu może stać się punktem wejścia do całej sieci firmowej.
3
Zależność od osoby, nie od procesu. Gdy nieformalny "firmowy informatyk" odchodzi z pracy, zostawia po sobie środowisko, którego nikt inny nie rozumie. Brak dokumentacji, brak procedur, brak przekazania wiedzy
4
Zgodność z regulacjami. Firmy przetwarzające dane osobowe mają obowiązek wiedzieć, gdzie te dane się znajdują i jak są chronione. Shadow IT sprawia, że część danych wymyka się spod tej kontroli - co może prowadzić do naruszenia RODO i poważnych konsekwencji prawnych.
5
Jakość działań bez weryfikacji. Pracownik, który "ogarnia IT", działa w dobrej wierze, ale bez weryfikacji, bez znajomości standardów bezpieczeństwa i bez świadomości konsekwencji. Błędna konfiguracja sieci, nieodpowiednio ustawione uprawnienia, źle skonfigurowane konto - to zagrożenia, które nie powstają z czasem, lecz istnieją od razu, od momentu wykonania. Profesjonalne wsparcie informatyczne opiera się na sprawdzonych procedurach i wiedzy, której nie zastąpi nawet najlepsza wola i pewna doza technicznego ogarnięcia.
How to detect shadow IT in your company
Shadow IT is by definition invisible - but leaves traces.
It is worth paying attention to several signals: employees are using personal accounts for business purposes, tools and applications are functioning in the company that no one has officially implemented, one person "knows everything" about a certain system and is the only one who can operate it, and project data goes to various places depending on who is currently working on the project.
An audit can help identify these situations. It is one of the first steps we take when onboarding a new client.
Daily monitoring of the environment helps prevent the emergence of this phenomenon on a regular basis.
How to prevent shadow IT
Simply prohibiting the use of unofficial tools rarely works. Employees bypass restrictions if the official solutions do not meet their needs.
A more effective approach is to understand why shadow IT arises in the first place and to eliminate the causes. If employees use personal Dropbox because the company file storage system is inconvenient - the problem lies with the tool, not the employees. If someone configures equipment themselves because reporting to IT takes too long - the problem lies with the availability of support.
The fundamental requirement is easy, constant, and quick access to IT support - one that can be approached with anything: both a serious outage and a minor irregularity that "might resolve itself." Why reporting every, even the smallest issue to IT is important - we explain in the article Why Your IT Should Know Everything.
Employees should know whom to approach for every problem and be assured that they will be assisted without unnecessary complications. Only then does shadow IT lose its rationale.
What it looks like in Helpwise
When taking care of a new company, one of the first steps is to assess the environment - including identifying tools and solutions that function outside of the official infrastructure. Not to hold anyone accountable, but to know what we are actually dealing with.
We also strive to create an environment where shadow IT has no reason to arise: support is available, processes run smoothly, and employees know that every request - even minor - is welcome. Responsible IT wants to know everything. It is the only way to maintain real control over the company's security.