Shadow IT Solutions
There are more risks with Shadow IT than people realize. Beneath lies “Shadow EUCs”, end user computing applications that often go unnoticed & uncontrolled. Not all shadow IT solutions are able to identify shadow EUCs.
What is Shadow IT?
Shadow IT refers to IT applications created, deployed, or used outside of a company’s central IT framework (i.e., without approval and with little to no controls). These applications manifest themselves in many ways, from Excel spreadsheets used for financial reporting to personal cloud storage accounts like Dropbox or Google Drive used for storing sensitive information on.
Going by this definition, shadow IT has existed since enterprising employees have tried to solve business needs with applications outside of IT’s control.
Initially released in 1987, Microsoft Excel has stood the test of time to become perhaps the oldest, yet still relevant, shadow application. Although Excel is itself a managed application, it is often used to create additional applications (also known as end user computing or EUC applications) that are used for and within highly critical company processes.
Shadow IT Risk
The risk of shadow IT within an organization lies in the lack of visibility, security, and controls around these applications. They endanger business continuity, reporting accuracy, and can expose your organization to regulatory noncompliance. Some scenarios that have wide reaching reputational and financial impacts include:
Highly confidential PII sent to unsecured mailboxes
Sensitive data stored on a free cloud storage account
Errors in investment spreadsheets leading to major losses
Shadow IT & End User Computing
EUC applications or systems facilitate the production of working applications by non-coders. EUCs can essentially be thought of as a subset of shadow IT. Given its deployment throughout the business, spreadsheet-based applications are particularly challenging to identify and control through manual processes.
The known IT universe is comprised of enterprise and business unit-specific applications that have been pre-approved for use across the organization. These applications have existing controls and follow established development rules to manage ongoing updates and deployments.
Meanwhile, the shadow IT universe is comprised of unknown spreadsheets and databases that are created and manually maintained by users. These are operated outside company policy without controls or oversight from IT or Risk teams.
“Shadow EUCs” present very high risks, as they are entirely unmanaged and often feed highly critical processes. This is only increasing as consequential growing pain from rapid digital transformation in support of employees working from home.
Merely looking at the risks, however, doesn’t tell the whole story. Shadow IT, isn’t always negative and can be a powerful driver for change within an organization, empowering users to create their own business solutions quickly, efficiently, and on the surface, at a minimal cost.
For example, Excel can be used to create a customer-facing application that depicts dynamic views into different investment scenarios. An application like this can help customers easily view, comprehend, and determine their preferred course of action.
Large enterprise systems can rarely, if ever, match the flexibility and real-time nature of this application. Instead of locking down and inhibiting users, they are empowering users (within reason and under a dedicated controls framework) to drive change that help businesses continue to grow and adapt to changing needs.
At its worst, shadow IT brings risk and the fear of the unknown to organizations. At its best, shadow IT drives critical business outcomes with unparalleled agility and ease. The key for a company is to understand how to balance both by controlling the former and enabling the latter.
While many solutions exist in the marketplace for discovering shadow apps, there are less when it comes to user-generated EUCs such as Excel spreadsheets, Access databases, R scripts, Python scripts, etc. One of the initial steps in tackling shadow IT is surveying the organization and using a tool to scan and discover any shadow apps. For EUCs, this approach is only skin deep and requires more planning.