Lurking Deep Within The Shadows
The coronavirus has changed how businesses operate. Moving forward, it appears many organizations will continue to allow their employees to work remotely. IT leaders have accelerated digital transformation initiatives to support this shift. As more employees are brought into the light of IT controlled systems for remote working, there is an imposing shadow beneath hiding the growth of uncontrolled applications, specifically end user computing.
We’ve read about it every day— another company expressing the desire to make working from home the new norm. How companies truly implement this long term is open to debate, but it’s likely that a larger percentage of employees will continue to work from home in a post-pandemic world.
The results of a recent study by Jonathan Dingel and Brent Neiman, professors at the University of Chicago’s Booth School of Business, implies that 37% of US jobs could be potentially done at home. This number nearly matches survey results published months earlier of 34.1% of US employees working from home. Dingel goes on to say that “This has taken maybe five or ten years of change and crunched it down into just a couple of short months.”
Before the pandemic, digital transformation was already a hot topic for many CIOs and their IT departments. The dual impact of the virus and resulting shift to working remote has further pushed the proverbial gas pedal. Gartner projects that global IT spending will decline 8% in 2020 compared to the prior year. However, Gartner also predicts that cloud services will grow as much as 19% because of remote working. “In 2020, some longer-term cloud-based transformational projects may be put on hiatus, but the overall cloud spending levels Gartner was projecting for 2023 and 2024 will now be showing up as early as 2022,” says Gartner executive, John-David Lovelock.
Looming Darker Than Ever
IT leaders are likely focusing their digital transformation initiatives on making this new reality work— finding the right technology to replace in-person communications, enabling business operations to continue as uninterrupted as possible, and putting additional information security measures in place. While these are extremely relevant and pressing, IT leaders should survey the organizational landscape for lurking shadow application deployments by under served departments. In a recent survey of IT security professionals, nearly half of the respondents were concerned of remote workers using shadow applications.
What is shadow IT? Shadow IT refers to IT applications created, deployed, or used outside of a company’s central IT framework (i.e., without approval and with little to no controls). These applications manifest themselves in many ways, from Excel spreadsheets used for financial reporting to personal cloud storage accounts like Dropbox or Google Drive used for storing sensitive information on.
Going by this definition, shadow IT has existed since enterprising employees have tried to solve business needs with applications outside of IT’s control. Initially released in 1987, Microsoft Excel has stood the test of time to become perhaps the oldest, yet still relevant, shadow application. Although Excel is itself a managed application, it is often used to create additional applications (also known as end user computing or EUC applications) that are used for and within highly critical company processes.
The risk of shadow IT within an organization lies in the lack of visibility, security, and controls around these applications. They endanger business continuity, reporting accuracy, and can expose your organization to regulatory noncompliance. Some scenarios that have wide reaching reputational and financial impacts include:
- Highly confidential PII sent to unsecured mailboxes
- Other sensitive data stored on a free cloud storage account
- Improper logic in investment spreadsheets leading to major losses
Regulators and audit teams are becoming increasingly aware of these applications and are demanding their identification and control.
Shadow IT & End User Computing (EUC)
Mentioned briefly before, EUC applications or systems facilitate the production of working applications by non-coders. EUCs can essentially be thought of as a subset of shadow IT. Given its deployment throughout the business, spreadsheet-based applications are particularly challenging to identify and control through manual processes.
“Shadow EUCs” present very high risks, as they are entirely unregulated & often feed highly critical processes. This is only increasing as consequential growing pain from rapid digital transformation in support of employees working from home.
Not All Doom & Gloom
Merely looking at the risks, however, doesn’t tell the whole story. Shadow IT, or “business technology” as some would like to more positively call it, isn’t always negative and can be a powerful driver for change within an organization, empowering users to create their own business solutions quickly, efficiently, and on the surface, at a minimal cost.
To continue our earlier example, Excel can be used to create a customer-facing application that depicts dynamic views into different investment scenarios. An application like this can help customers easily view, comprehend, and determine their preferred course of action. Large enterprise systems can rarely, if ever, match the flexibility and real-time nature of this application.
At this stage we face a predicament. The same shadow IT applications that introduce new, unknown, and unmitigated risk to a company can also be the same applications that create flexible and adaptive solutions to solve critical business needs. The balance between these two scenarios lies in the ability for enterprises to gain visibility and implement governance frameworks around these applications.
While many solutions exist in the marketplace for discovering shadow apps, there are less when it comes to user-generated EUCs such as Excel spreadsheets, Access databases, R scripts, Python scripts, etc. One of the initial steps in tackling shadow IT is surveying the organization and using a tool to scan and discover any shadow apps. For EUCs, this approach is only skin deep and requires more planning.