Companies and governments continue to bemoan Shadow IT. Many respond by criticizing employees and implementing additional controls. Unfortunately, most fail to recognize and address the root causes.

Shadow IT commonly appears in three forms: personal devices used for business, cloud-based applications, and cloud computing services.

Few employees begin the day with the intention of violating corporate policy. However, in today’s competitive job market, annual performance reviews focus on accomplishments. As long as employers provide substandard tools, many employees will resort to Shadow IT.

PCs have a three year lifespan. In days gone by, corporations acknowledged this fact and planned IT refresh cycles accordingly. Even Revenue Canada recognizes this; the Capital Cost Allowance rate for computers is 55 per cent per year. Taking into account the 50 per cent rule for the first year, a $1000 notebook has a book value of $147 after three years. In an effort to reduce capital costs, some corporations have pushed to a five year refresh cycle, or even worse, replacing equipment only after it completely fails. As a result, many employees spend forty or more hours a week using sluggish, outdated equipment worth less than a tank of gas.

To make matters worse, some organizations still deploy a standard disk image for all employees. This outdated concept requires that the image accommodate the lowest common denominator. With five-year-old PCs still in use, brand new PCs are deployed with outdated operating systems and applications. As a result, even employees provided with brand new hardware experience poor performance.

The reality many enterprises face today is that employees have far better computers and applications at home than they are provided with at work. They are also accustomed to low cost, efficient, cloud-based applications from Dropbox, Google, Microsoft, and many others. Some employees experience frustration and resentment as they are forced to work longer and take work home because they are provided with substandard tools. A growing number of employees simply opt out and bring their own laptop to work, regardless of whether their employer has a BYOD program or not.

The other main factor driving Shadow IT is the inability of corporate IT groups to keep up with demand for servers and other IT infrastructure. In the past, a new server required the purchase of hardware, racking, operating system installation, and connection to the network. The process often took weeks or longer to complete. Despite the movement to cloud computing, eliminating the need to procure new hardware for each server, provisioning still takes too long.

Large organizations silo their IT departments. It is common for a single provisioning request to require action by server, networking, and firewall groups. Service requests pass from person to person for accounting, IP address allocation, DNS configuration, Active Directory account creation, VM provisioning, licence allocation, OS installation, application installation, backup configuration, and firewall changes. A process that requires an hour or two of work takes days or weeks to accomplish. In the meantime, project managers and their teams wait. Reductions in IT personnel result in an increased backlog and longer waits, yet managers are under increased pressure to deliver on time and on budget.

In sharp contrast, Amazon Web Services enables provisioning of networks and servers in minutes. All it takes is a credit card. In less time than it takes to create a service request in most organizations, an employee can log in and launch an instance complete with an operating system. Licences are included where required, and more complicated requirements such Microsoft SQL databases can be instantiated as a managed service. Provisioning additional resources, including disk space, is equally simple.

From a security perspective, Shadow IT increases some risks. Developers may not be familiar with best networking and firewall practices in the cloud. Data on personal PCs and other devices may not be protected to the same standards.

The traditional stance taken by employers is that employees have an obligation to comply with corporate policy. By failing to do so, employees place themselves at risk of sanctions that may include termination of employment. However, complying with policies that adversely impact productivity may place employees at even greater risk. Employees who fail to deliver receive poor performance reviews, are frequently targeted during downsizing, and are routinely terminated.

Organizations should be concerned about Shadow IT not only because of the risk it creates, but because it is usually a symptom of a much larger problem.

Have a security question you’d like answered in a future column? Email eric.jacksch@iticonline.ca