Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Ten tips to expose and expunge shadow IT at your company

Bringing shadow IT projects into the sunlight requires change management and getting employees to embrace IT-sanctioned technologies.

If you're concerned about the security of your corporate content, it's time to take charge of shadow IT. To take...

control, though, you need to know more about how content is seeping in and out of the four walls of your company. If it's being emailed and viewed on mobile devices or saved to personal PCs, it's going to take some technology and some change management to enforce greater content security measures.

Ask your senior IT people whether they're aware of every information technology your organization uses. Chances are, they're not.

Oh, they'd like to be, and it's not that long ago that they probably believed they were. But today, most seem to know that there's a lot of stuff operating in the shadows that they don't know about -- for which, at some point, they'll likely be held responsible.

We see this commonly among our clients because an employee somewhere signed up for a cloud content service (e.g., Box, Dropbox, Office 365, etc.), never imagining that it would cause compliance, governance or technical problems down the road.

The question is what can you do about it? You can't turn off what you don't know exists, so here is a list of 10 tips to get you started in expunging rogue content-sharing technologies.

Find 'em

The obvious starting point is to find as many of the rogue solutions as you can. There are many ways to get this done, including simply showing up in each department and asking to see what employees are using. But there are a few behind-the-scenes approaches that can illuminate the dark spots more quickly and, perhaps, more completely.

  1. Monitor your server connections to see which applications are making calls to your information. Most will be known quantities, especially if they're coming from inside your firewall. But there will certainly be others that strike you as more unusual -- especially connections that come from outside.
  2. Monitor log ins (attempted and successful) as well, and match them against your user directory. Not only are you looking for obvious mismatches but you also want to examine accesses from unknown or unusual locations -- these could be legitimate users dialing in from a mobile phone or home office, but they could also be potentially suspect sources connecting via a shadow IT technology.
  3. Monitor help desk requests to learn whether anyone is asking questions about unsanctioned applications or connections (i.e., to a cloud service). Inquiries related to usability (e.g., "How do I … ?") are worthy of examination because they are common among those with little experience with a solution, and there would be plenty of those associated with a non-mainstream system.

Fix 'em

Now that you know what you're up against, the next step is to bring your rascally systems and users into the fold -- or get rid of them altogether. Whichever approach you take, you can't simply let the situation stand, because of the compliance, discovery and other risks associated with such quasi-controlled information stores. Most successes here are rooted in our old axiom, "It's psychology, not technology." Chances are the shadow technology was originally set up because of feelings related to authority or control, and the exertion (properly or otherwise) thereof.

  1. Grant an amnesty. As much as you want to regulate your technology sprawl, you can't afford to lose the hearts and minds of the people using and benefitting from their rogue solutions. So, focus on forgiveness rather than punishment to encourage employees to fess up to shadow IT and get with the program.
  2. Help the transition. Empower an employee in each affected area to help make the transition back to "sanctioned" territory. You can't do all the work yourself, and inviting the managers and users involved to participate in the process helps reinforce the notion that you're doing this for them and not to them.
  3. Offer help. Don't interpret the previous point to mean, "Here, do this and that and the other thing." Work with the application owners to get the system in question to interoperate with or migrate to your sanctioned solutions by reconciling the data, managing the permissions, etc.

Learn how business processes can help keep shadow IT at bay.

Forestall 'em

The last ingredient in the recipe is to minimize the chances that future systems sprout in the shadows. It's not realistic to prevent rogue IT altogether, but you can encourage both the following of the rules and the shrinking of the shadows.

  1. Take a customer service approach to technology management. As is the case in so many areas, communication is key, so expectations can be properly set and follow-through made tangible. Responsiveness and transparency are paramount -- even if the news you have to communicate is not the best.
  2. Think in business terms, not technology features. The folks in your organization's lines of business are much more likely to engage with you if the conversations you have are held in their terms. Otherwise, they can be left feeling either ignored or condescended to and thereby more likely to want to do their own thing rather than deal with it.
  3. Emphasize ease of use. Emphasize the ease of use of the solutions you want people to use -- and if they're not easy to use, make them so. There's no doubt that the less painful a sanctioned technology is to use, the less people will want to end-run it. And if nothing else, it will benefit the people who are playing by the rules, and that's a good thing, too.
  4. Let people know about the capabilities you've already built. In one recent case, we helped a client discover part of their problem was that one department didn't know the records group had a scanning capability and was eager for others to use it. The result was a readily avoidable overreliance on paper to move many processes along, and a budding desire of the department in question to seek its own solution.

Finally …

At the end of the day, exposing and expunging shadow IT begins and ends with tightening the relationship between technology and business, which often are disconnected enough to cause them to spin in separate, if overlapping, orbits.

I can almost guarantee your organization has technologies you don't know about, and I know that the only way to come to grips with them is to ask the question posed at the top of this piece. So, get out there and ask, and let us know what you find out.

Next Steps

File sharing apps challenge ECM status quo

Consumerization drives ECM changes

Protecting content within the company

This was last published in June 2015

Dig Deeper on Information governance management

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

5 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Has your company taken steps to address shadow IT? Why or why not?
Cancel
We have taken steps to address shadow IT. One of the primary reasons was to help ensure the security of our data, which I think is a major reason many organizations takes steps. Another reason was to curb costs of employees using company funds to pay for shadow IT solutions. We had noticed that different groups across the organization were each paying separately for the same solution, not realizing that other groups were doing the same thing. By identifying those instances, then consolidating into a single, organization-wide solution, we were able to cut costs and still offer a solution for the employees.
Cancel
Yep, those would be the Top Two reasons! Interesting that you mention security first, for I have noticed that these sorts of initiatives aren't as purely cost-driven as they were just a short time ago.

Thanks for weighing in!

Cancel
The emergence of shadow IT is often a symptom of a larger problem within an organization, which is often an inability for someone to do their job with the tools made available to them. One of the approaches I’ve seen that works well is work with the users of shadow IT to see what needs are not being met. If there is a solution available that they are unaware of, then work with them as the article suggests to transition to the offered solution. If the organization does not offer a solution, then work with the users to either legitimize the shadow IT solution, say move from personal DropBox accounts to DropBox for Business, or find another solution that the organization can provide.
Cancel
In the past couple of years my organization has taken steps to crack down on access to cloud storage like DropBox or Google Drive. They have also stopped the practice of remoting into a company computer from a home computer while working from home. That was one of those cases that caused a lot of difficulties for people trying to get work done, due to performance issues trying to work over a VPN. No solution was offered, it was just a mandate that we had to absorb. It would have been nice (and more professional) to offer help with the transition, like the author suggests. 
Cancel

-ADS BY GOOGLE

SearchBusinessAnalytics

SearchDataManagement

SearchERP

SearchOracle

SearchSAP

SearchSQLServer

Close