If you had to make a list of all the different factors that keep IT professionals awake at night, the concept of shadow IT would undoubtedly be right at the top.
It is a term that sounds ominous… and in a way, it is. Here, you are talking about information technology applications and infrastructure elements that are being both managed and utilized WITHOUT the knowledge of the enterprise’s IT department.
Even as recently a decade ago, this was not the problem that it is today. It was easy to tell which devices were connected to your business network or what your employees were up to because they only had access to those resources while they were in the office.
Then came the era of BYOD or “bring your own device” environments, where people started using their personal smartphones, tablets, and laptop computers in the office. Sure, you can be positive that the desktop computer issued to an employee is locked down and safeguarded… but can the same be said of that iPhone sitting right next to it that you’ve never actually held or inspected? Are staffers using their personal devices to share sensitive information?
Never forget that every device connected to your business’ network is just a potential vulnerability just waiting to be exploited by someone who knows what they are doing. Once you also come to terms with the fact that shadow IT by its very nature means that you have no idea exactly what is connected to your network, you begin to get an idea of why this topic is so important.
What Are The Risks Of Shadow It?
But shadow IT is not a problem because it’s a “minor inconvenience,” or because it makes your network infrastructure “slightly more difficult to manage.” If left unchecked, it could open your business up to the type of devastating cyber-attack that it might not ever recover from.
Ultimately, shadow IT risk can be boiled down to one factor: Loss of control over enterprise data and information. According to experts, the top four security-related risks of shadow IT include:
An increased risk of data loss. Whenever an application can run outside of the control of your IT team, it does not receive the same attention when it comes to things like backup and disaster recovery. This means that you are not backing up what you are not aware exists in the first place, thus increasing the risk of permanent data loss if an unfortunate disaster does occur.
The increased risk of a data breach. IT professionals also have absolutely no control over who is accessing these applications and other resources, too. This means that shadow IT could be giving third party individuals access to data that they should not be able to see. It could also mean that your business is exposed to security vulnerabilities that your team members have no idea exist — thus increasing the likelihood of a full-scale data breach at the worst possible moment.
Inefficiencies galore. Whenever a hardware device or software asset is implemented OUTSIDE the boundaries of your normal business processes, it doesn’t go through efficiency checks to make sure that everything is in proper working order, that any integrations and connections to other systems are forged. At the absolute best, this could cause the types of bottlenecks that slow down productivity, communication, and collaboration. At worst, it could create a new (and unfortunate) single point of failure that could bring an end to some critical business element.
General cybersecurity risks. If you are not actually sure that something is on your network, you do not have the ability to update it in the way that it needs to be. Updates are about more than just bringing new features to a piece of software; they are also responsible for patching security vulnerabilities and holes that hackers are waiting to exploit. Every day that those security vulnerabilities remain unchecked is a day that your entire business is exposed to unnecessary risk.
Again, these are just a few of the major security-related risks associated with shadow IT. Rest assured that there are many, many more. But at this point, one must ask the question: why does shadow IT begin to rear its ugly head in the first place? Usually, this comes down to a few common reasons — all of which are sadly avoidable with the right oversight.
Most of the time, people embrace shadow IT to circumvent bottlenecks that exist or to avoid processes that slow them down. It is borne out of a need in that they either:
Do not feel like you have given them the tools they need to effectively do their jobs
Or those tools do not work in the way they want them to, so they have decided to start using their own without your knowledge
Other times it is simply because people prefer to rely on the software that they are most familiar with. If you provide them a tool they’ve never seen before that does essentially the same thing as something they’re already using, the chances are high that they’ll eventually get frustrated and turn to what they’d rather be dealing with.
Finally, sometimes people prefer to work with something that is compatible with their mobile devices (and what you have given them is not). Or they need to continue to work with legacy applications that are no longer supported (because the alternative you have provided them is inadequate in their eyes).
Regardless of the reason, all of this combines to form a perfect storm in the worst possible way for IT departments everywhere. Employees think that they are getting their work done and making their lives easier at the same time, so they really don’t see any harm in it. But as the security risks alone go a long way towards proving, this is one situation companies will want to avoid at all costs.
Why Is Microsoft Teams A Shadow It Risk If You’re Not Careful?
All of this is to say that while shadow IT is always a big concern in any enterprise… 2020 has caused things to get exponentially more difficult thanks to the Coronavirus pandemic.
According to one recent study, roughly 66% of all employees based in the United States were working remotely at least some of the time as of April 2020. To break that down into a bit more detail, about 44% of all workers were working from home five or more days per week — up from just 17% prior to the start of the COVID-19 pandemic.
There are two key things you need to understand about that, the first being that remote work is not going away anytime soon. Employees are starting to realize that they like remote work — particularly those who had never had the opportunity before. Likewise, even after COVID-19 sputters out, businesses are going to start to wonder if they actually NEED to bring everyone into the office every day, or if they can save more money on overhead than ever by allowing as many people to telecommute as possible.
The second is that shadow IT does not just exist in a remote work world — its reach is far greater than you may realize. Think about all the personal devices that are connected to an employee’s home internet gateway. Smartphones. Tablets. Computers. Game consoles. Smart devices. Now, remember that this employee is using their personal internet connection to dial directly into your private network. Therefore, every single one of those vulnerabilities is now your problem whether you like it or not. Once you multiply the average number of devices a person owns by the total number of employees you have working remotely, you begin to get a better understanding of just how deep this rabbit hole goes.
At the same time, Microsoft Teams has positively exploded in popularity in 2020 — to the point where their number of daily active users in Q2 is 70% higher than it was at the start of 2020. While it’s absolutely true that Microsoft Teams can deliver the benefit of communication and collaboration in this type of environment, it also brings with it its fair share of challenges regarding where information is stored and who can access it.
Without a managed implementation and subsequent monitoring, for example, your company might start to experience content sprawl because of a multiplication of teams, channels, and integrated apps with no clear organization. This will quickly become an issue that strikes to the very core of your information governance framework.
In a lot of ways, it is a double-edged sword. IT departments are always tasked with maintaining a system-neutral information governance protocol (including all rules and procedures) that allows the business to remain agile but also gives users as much freedom as possible.
But when information governance efforts are too restrictive, employees always find a way around them — which is where shadow IT becomes an issue. Before you know it, employees start to use those rogue applications and workarounds without the IT department knowing about it and that, of course, puts the company itself at risk.
The reverse is also true — if you give those users too much freedom, they still start to use rogue applications because there are essentially no consequences and the business ends up paying the price as a result.
But at the same time, it must be noted that Microsoft Teams itself is not inherently the problem. It is only when the implementation and deployment can remain unchecked that governance procedures within those Teams environments start to become a problem.
Come To A Better Understanding Of The Actual Problem
By far, the most important step you can take in terms of crushing shadow IT with your Microsoft Teams implementation involves coming to a deeper understanding of the real problem you’re facing.
You need to ask yourself if your Teams deployment is aligned with security and governance protocols. Where are users storing information that they drop into Teams chats and groups? Does this create duplication and version problems? Do they have the tools they need to manage information effectively and securely?
Answering these questions, at a bare minimum, will provide you with a rock-solid foundation of actionable information from which to work from. You will get a better understanding of the disconnect that is happening and, at that point, you’ll be in a much better position to stop it in its tracks.
Engage With Your Workforce
Another critical step towards your goal of crushing shadow IT in your Microsoft Teams implementation involves engaging with your users whenever possible. Never forget that while shadow IT can certainly feel malicious if you are an IT professional, this is rarely ever the case. People just feel like they have identified a more effective way to do their jobs than the one you have provided them — which is ultimately a good thing, from a certain perspective.
Therefore, you need to come right out and have a conversation about what tools they are using, what they are trying to accomplish, and, most critically, why they think this is all so effective in the first place. In a lot of ways, this step goes together with getting a deeper understanding as outlined above.
Avoid Those Bottlenecks
Another one of the major reasons why shadow IT exists at all has to do with bottlenecks that users are trying to avoid. In a lot of cases, people are under the impression that the IT department just is not delivering solutions as fast as it needs to. They put in a request to IT for something and they end up waiting and waiting for an answer.
This is especially true with a solution like Microsoft Teams, which can be endlessly customized to meet your needs in a variety of ways. But if you are not working fast enough, a bottleneck appears — and people start looking for alternatives to keep up with what they are trying to do.
Therefore, the simple fact that you are going to the trouble of avoiding these bottlenecks is often enough to get the job done.
You could engage with people in a one-on-one capacity, or you could send out a survey to everyone at the same time. Regardless, the result is clear — you will know WHY people are making the decisions that they are, which is certainly enough to fuel every decision YOU make from that point on.
Gain A Better Understanding Of Where Your Critical Information Currently Exists Information
04Even going beyond the ever-important issue of security, one of the major issues that often come along with shadow IT takes the form of information sprawl. That is to say, your critical business data is spread out among so many different repositories that it can be endlessly difficult just to figure out where everything is so you can put it to good use. Therefore, you need to come up with some type of plan to determine WHERE the information your shadow IT users have been creating is stored. Of course, they should live within your authorized applications but is that happening? Sometimes, simply going through this process will allow you to realize that there isn’t an authorized tool that does what your users need it to do. It is unfortunate, but it is also an incredible opportunity just waiting to be taken advantage of and now you are finally able to do so. Remember that winning organizations always find ways to manage and track
Gain A Better Understanding Of Where Your Critical Information Currently Exists
information. This is true regardless of which tools you are using, like Microsoft Teams and Outlook. This is also true regardless of where that information is saved, like in SharePoint, Salesforce, or even on your network folders.
Note that this step is not going to come right out and stop your shadow IT issues in their tracks. But it is a critical step on a much larger and more important journey that is about to unfold.
How An Information Management Solution Like M-files Can Mitigate Shadow It Risk
One of the best ways to crush shadow IT in your Microsoft Teams implementation involves making sure that you always have the right information management solution by your side. M-Files is built in a way that allows it to be fully customized to operate with you AND your people in mind.
Even when users bring their own devices, for example, information access and management can be governed at the centralized level within the information management platform. In other words, you can set permissions on files, directories, or even certain types of files based on who someone is, what job they are filling, and other factors. At that point, you can limit access to a document to only those people who expressly need it to do their jobs — absolutely no exceptions.
Likewise, the right information management platform like M-Files can be used to avoid situations where users implement the file storage tools, THEY like by establishing a direct connection to all content repositories. M-Files does not require a massive migration, either. It connects to existing systems to present data based on what it is, and not where it is stored.
One of your employees may decide that no matter what, they are going to be using Dropbox for cloud storage, for example. Another decides they would prefer to use Google Drive and yet another decides to use Box. This immediately creates two types of sprawl — content sprawl and SaaS (software-as-a-service) sprawl. Both of which are absolutely despised by IT departments.
This can be a huge challenge for organizations across all industries as employees start to leverage modern apps to “get the job done” faster. In one widely reported example, clinicians have found using WhatsApp to speed up patient care. In another survey, 95% of all enterprises say that they have found employees were actively seeking ways to bypass corporate security protocols to use non-approved web services and apps. Naturally, these are two things that you are absolutely going to want to avoid — particularly in an era where most of your people are working from home indefinitely.
This kind of behaviour is leading some CIOs to tackle the problems of shadow IT — governance, compliance, and security risks — and many of them are turning to enterprise content management systems like M-Files to meet these needs.
Microsoft Teams can present document access risks if users are not careful. With regards to something as important as access control, for example, the right information management platform like M-Files does far more than just allow you to set permissions. You can leverage dynamic organizational permissions, which allow you to easily change someone’s permission to view or edit a document based on the role they play within your company using metadata. This is far faster and more efficient than updating all permissions on a document-by-document basis.
Likewise, you can use permissions-based content and context — which lets you set unique permissions for entire types of documents and data objects in addition to individual items. Note that this is even true for different versions of the SAME documents or objects.
You can also assign roles that give different permission levels to different users. If someone is promoted to a manager or supervisor position, their permissions can automatically change — all without you having to really go in and do anything by hand.
Speaking of metadata, it is equally important to note that this is crucial for the concepts of discovery and identification. This is another area where an information management platform helps crush shadow IT in your Microsoft Teams implementation. M-Files can be used to create metadata that will give insight into all aspects of a document like the title, certain keywords that may be present in the text, or even the name of the author — regardless of where that data is stored.
In the end, understand that shadow IT is a pressing issue under normal circumstances — and it becomes an especially difficult hurdle to tackle thanks to the challenge that coronavirus represents with everyone working from home.
But that is okay — because if the first step to recovery is admitting that you have a problem, the second step is undoubtedly putting a plan in place to do something about it. By understanding the scope of the issue, by engaging with your users, and especially by implementing an information management platform like M-Files to layer over your Teams instance and fill in the gaps that may be inherent in Microsoft Teams, you’re going above and beyond in terms of squashing shadow IT once and for all.
At that point, you and your people can enjoy all the benefits that modern technology has to offer with as few of the potential downsides as possible.
For more information on how we can help your organisation please email: peter@documentmanagementsoftware.com.au or visit www.documentmanagementsoftware.com.au