Threat from the shadows: In everyday digital business, companies depend on a whole range of different tools and technologies. To prevent data and security problems, IT departments keep official lists of the software used, keep it up to date and develop it further.
In the dark, however, there are often countless other programs that employees use carelessly without the knowledge of the IT department, but mostly without malicious intent. What is this shadow IT, what problems does it lead to and how do companies have to counteract it?
- Shadow IT exists as a parallel world alongside the officially managed applications and can nevertheless acquire the same importance. However, the many small tools, open source products or interfaces to official applications are not documented in the shadow world and are not part of the monitoring either.
- Unofficial software leads to security vulnerabilities, for example when undocumented interfaces allow unauthorized access to sensitive data. The Log4j problem also clearly shows that companies cannot trust outside applications. Loss of control and unwanted legacy code quickly occur here: IT departments must avoid both at all costs.
- Reasons. Complicated processes and budgets that are too tight encourage the emergence of shadow IT. Budding distrust between the specialist department and IT can quickly lead to employees relying on their own applications.
- countermeasures. IT departments can prevent employees from installing new software by setting appropriate default settings. However, systems and projects must also be checked for existing shadow IT. The first step is to take stock, because legacy code and unofficially deployed applications are more prevalent than many IT departments care to admit. The corporate structure must also be questioned. Shadow IT can be prevented with the right processes, such as a company suggestion system for new solutions. When it comes to unofficial tools, companies should do some self-reflection: Why was the software chosen? Is the feature missing from the official list? Why wasn’t she included?
“It is quite legitimate for employees to decide for themselves what they need to work,” explains Nadine Riederer, CEO at Avision. “However, correct communication with the relevant authorities is crucial. In this way, it can be clarified whether the purchase of a tool generally makes sense for the company and whether it should be included in the official list. Talking to IT can prevent a lot of work and shadow IT.”