The first step in solving a problem that you have is admitting that you have it to begin with. To be able to do that, you have to be looking at the landscape in which the problem resides with eyes that want to see it and know where to look.
In the case of “Shadow IT,” many companies don’t even know it exists, or understand what it is, and because of that, may not even be aware that they have a problem until data goes missing or gets corrupted. By then of course, it’s too late to do much more than damage control.
What Is a Shadow App?
A Shadow App is any app that the people in your company use to do the business of the company that has not been formally tested, approved, and signed off on by the IT department. Sometimes, the IT department itself uses Shadow Apps without ever bothering to formally approve them. This is especially true of handy, open-source software, but can be most anything.
If your employees are using DropBox to move files off the company server so they can access their work related data on the go they’re using a shadow app. If they’re using Skype for inter or intra-office communications, and the IT department hasn’t signed off on the program as an accepted means of communication, they’re using a shadow app. The term doesn’t mean that nobody knows about it. In fact, it’s usually the opposite case. Everyone knows about it, and they know that it’s not official company policy, but it gets the job done. It gets results. That’s why it’s being used.
Typically, the IT Department response to the phenomenon has been to follow the employees, retroactively evaluate the software and make it a part of official company guidelines, with rules about how and when they can be used, what sorts of data may be moved across them, and so forth.
The problem though, is that once employee usage conventions have been established, these after the fact policies are very hard to enforce. Besides that, barring catastrophic data loss, how would you even know, or check to see if your employees were complying with the new policies. If they aren’t, then what have you gained by spending time doing the evaluation and creating the policy?
This defines the ongoing struggle that IT Departments nationwide have with the software. Everyone knows it’s being used. Everyone acknowledges that there’s at least some, and potentially significant company data risk because of it, and no one seems to be able to get a handle on it.
Some would say that’s because the genie has been let out of the proverbial bottle, and there’s no putting it back in. Others have committed themselves to trying gamely, if nothing else. Even in the best cases, results have been mixed, lending credence to the idea that maybe there truly is nothing that can be done.
As a business owner, do you know all the apps your employees are using to move and manipulate company data? Of those, do you know how many have been officially sanctioned by your IT Department? Of the ones that aren’t, do you understand the risks imposed by those apps and their use on your company’s data and its future? These are important, significant questions.