Understanding the Rise of Shadow IT

Find better ways to meet the needs being expressed, says Kurmi CTO

Understanding the Rise of Shadow IT

During the turbulent events of recent months, ensuring business continuity without increasing risk has been the big challenge for CISOs and IT managers. Many organisations were faced with an acid-test of their cloud readiness and general operational resilience, and some had to make major changes to established business practices overnight.

Unsurprisingly mistakes were made in some cases, and often with the best of intentions. Individual managers and knowledge workers did their best to remain productive and effective in their roles under dramatically altered circumstances, and while many attempts were noble in effort, inevitably some temporary solutions were far from ideal, and so may even have undermined organisational intent — involving as they did, the use of ‘shadow IT’: individually sourced and implemented applications and programmes, running outside the official business environment, and never intended for enterprise use.

Shadow solutions to the rescue?

As Sébastien Valentini, Chief Technical Officer at Kurmi, explained, “people did not use shadow IT for pleasure or to annoy

Sebastien Valentini

Sébastien Valentini

IT/security teams. They did it because they had to, to answer the company or customers’ requests to provide service continuity during the lockdown. The context may have accelerated these risks because while it increased the need for collaborative or communication tools, it broke down certain barriers between private and professional life. Some official tools of the company may not been available remotely or it may have been more difficult to use due to VPN access over personal Wi-Fi / internet connections. By comparison, tools designed for personal used, generally cloud-based, are immediately available, accessible at any time, from anywhere.”

The intervention of unapproved apps and tools running within the business can easily break carefully-planned security protocols and systems, in application stacks chosen to satisfy requirements in secure and compliant environments.

Outside the secure and managed environment

Sébastien Le Lourec

Sébastien Le Lourec

Sébastien Le Lourec, IT Security Manager at Kurmi Software, explained, “Shadow IT is generally a threat from an CISO or IT manager perspective. It is put in place outwith the scope of IT teams so the general procedures in place to ensure availability monitoring, backups, access controls are not in place.  IT and security teams try to bring consistency, homogeneity and integration at the company level. Individual initiative to put in place unofficial solutions go against these efforts”.

To counter the risks which arise from shadow IT, it’s important that organisations educate their teams about the dangers it creates and the damage that unauthorised applications can do, while maintaining a commitment to provide best in breed tools to their users, for UC and beyond.

“We must remember that IT and security teams are at the service of the business, not the other way around. The use of shadow IT is an expression of need”

So, if mistakes were made — perhaps even overlooked — during the crisis of lockdown, now is the time to review the lessons learned in a constructive way, and decide which solutions to take forward into the ‘new normality’.

Kurmi’s software simplifies and automates the deployment of UC solutions such as Cisco Microsoft and Avaya, and these can be intuitively managed by local administrators in response to shifting requirements. Because these comprehensive applications also integrate with many other tools, there will surely be an appropriate and secure way to bring in all the desired functionality to the corporate provision, in a consistent, compliant, and homogeneous way – and therefore no need for anyone to start experimenting with risky fringe solutions.

“IT teams must seize the opportunity to resume the dialogue with the business and, to bring clear answers to these needs while bringing their ability to provide sufficient confidentiality, integrity and availability levels for the company,” Le Lourec concluded.


Join over 30,000 Weekly News Subscribers