Shine a light on the rogue IT that hides in the company shadows

Dark moments

In an ideal world you would completely eradicate shadow IT. Dealing with the issues of departments trying to exchange documents in a variety of different formats can be a support headache.

From a governance perspective you will experience a living nightmare when one of the big software vendors arrives and asks you to show what software licences you are using and which ones you have paid for.

That doesn't mean you need to stamp out the products that have snuck in, though: there is every chance that some of them are actually quite good. Presumably the departments that have started to use them have done so because they provide some kind of functionality that your corporate systems don't.

And if your shadow users have found a cool new product and are having to use hacky methods to exploit them (such as a tablet-based app that they can't connect to the corporate network as they are outside the firewall) why not consider doing something official in the mobile device management (MDM) space to enable users to work more efficiently while still preserving security and licence control?

You may actually want to adopt some of the packages that have crept in the back door.

Follow the rules

There are five core considerations you need to take into account to address shadow IT.

1. Sort out your IT department's GUI

One of my managers once suggested putting the equivalent of an account manager into the IT department. That individual would go around the business talking to the key stakeholders (the department heads and some of the more vocal but less senior individuals) to keep abreast of what they were thinking, the new stuff they were looking to make, sell or do, and so on.

They would also spread the word about the IT department's plans, what upgrades were in the pipeline, what was on the roadmap for the next 18-24 months, and so on.

“What a load of utter bollocks,” I thought at the time. But you know what, I have come round to the idea now because I have seen it done and it works. Amazingly well.

And of course when you see it in action you realise that all you are really doing is communicating – asking what people want, which makes them feel that you care, and telling them what you are doing, which makes them feel informed.

When all is said and done, people generally prefer you to do things rather than having to find the time and money to do it themselves. But they have to believe you can and will do so.

2. Have an IT department that works

If you want to persuade people not to head towards shadow IT, and to let you take over (or replace) the items they have already started to use, you need them to be comfortable that you will do a decent job.

After all, one of the reasons they adopted these unofficial solutions may well be that what the IT department is providing them with is shoddy, old or unsupported, or a combination of the three.

I have even seen departments go to the lengths of taking on their own technical staff – or, more commonly, pay third parties to do IT work for them; it is easier to hide a purchase order for some consultancy than to persuade the HR department to let you take on an IT guy without snitching to the IT department.

So just as you ensure that the IT department is flying the flag and keeping its internal customers informed, you similarly need to ensure that it delivers on whatever is promised.

3. Put in policies and regulation

Some shadow IT implementations are attractive and worthy of adoption as corporate standards. Many are, however, big scary monsters that must be slain without delay because they can damage the business.

I am firmly of the belief, for instance, that any user installing an unofficial wireless access point on the company LAN should be publicly flogged.

Similarly I have come across a numpty “IT-savvy” user who decided to buy a load of cheap Ethernet hubs from the IT store down the road and string them around the office because he couldn't figure out the (admittedly arcane) patch panel; not only did he break the network by introducing loops but he managed to make his installation a trip hazard into the bargain.

Another classic is departments that run up a server with a new product as a “pilot” (in these days of AWS, Google Cloud and Azure it is way too easy) and before you know it they are relying on it for their day-to-day business.

And of course when their single-point-of-failure server goes tits-up, it's the IT department that gets the panic phone call.

You need to regulate your setup, then. But you can do this in a couple of ways that are not heavy-handed.

First, as you control your core LAN switches, disable the ports that are not in use and apply MAC address limiting on the ones that are. If someone connects a new wireless AP they will either (a) not get a link light; (b) be barred from the port as it is detected as a new IP address; or (c) find it doesn't work because your core switch doesn't like seeing more than one MAC address on the port.

Nobody can complain if you do this: you are simply protecting the security and integrity of the network.

Second, ensure that you have policies that cover the governance aspects of your business – PCI DSS compliance, for example, plus banning password sharing, enforcing directory service membership and antivirus protection, and so on.

Make it mandatory for all software licences to be registered centrally, and forbid unauthorised staff members from signing licences or contracts.

Most of this can be justified as being essential to ensure the company continues to trade legally, and it is not unfair because the IT department is equally bound by such regulations.

4. Corral the mobile apps

Implement a MDM package for at least your company owned devices and tie them down tightly. Users should be forced to have complex unlock passwords and be able only to install applications that are permitted by the MDM control centre.

It is perfectly reasonable to dictate what people may and may not install on company owned devices because you have to manage them and fix user problems at the end of the day.

And because your users who don't qualify for company phones will still want to get their email and contacts on their own devices, ensure that your MDM solution allows you to implement a secure sandbox on non-company phones so that your data can be erased from the MDM console if the device is lost or the user leaves the company.

Even better, if you can provide a company-supported bijou app store from which users can pull other formally supported apps into the sandbox, you get that much more control.

And be particularly diligent in finding out what people do on their handsets when you are not looking: mobile computing is a huge growth area and if you take your eye off the ball and don't control it, users will run away without you.

5. Work within the company's goals

Sometimes the reason the IT department has not implemented a solution, hence causing a shadow version to spring up, is because it is on the roadmap but has a lower priority than some other services.

This suggests that to implement it would need a tangible amount of effort (if it was trivial IT would just do it), which means that a certain amount of effort is also required by whoever is doing the shadow alternative.

How, then, do these users find the time to do this? Are they not doing their day jobs?

Sometimes people simply have to be told: “Stop doing that, it is less important than X”.

Key steps

• Make it easy and efficient to use the official system. If users can do their jobs more easily with the systems you provide than to grow their own, they will do so.
• Do everything within a proper governance framework by which everyone – even the IT department – is bound. If you don't, you risk legal issues – primarily from financial and licence audits.
• Be open to the shadow products you find. If some of them are good, consider embracing them as corporate standards and see if you can find ways of making them usable and secure.
• Get control over every mobile device that might need to connect to the company network and pull it into a controlled application set. Have full control over company devices and make sure that any corporate data on users' own devices can be removed remotely on demand. The more you can offer securely to users, even on their own devices, the more they will use your supported stuff rather than their own random apps.
• Make the IT department work properly with its users: IT is a service industry but IT departments can be surprisingly aloof, forgetting that they need to understand changing requirements and warn users of upgrades and changes.
• But don't let it become a free-for-all; if you adopt everything you see as a supported product you will need a bigger IT department than you can afford. Set the boundaries and remind departments from time to time that they have a day job to do between all that fun IT stuff they are hiding in the shadows. ®