Do you know all the tools, apps, and services that your staff and volunteers are using? If your team is using tools that are not controlled or authorized by your organization, then you may be dealing with shadow IT.
Shadow IT is a general term to describe technology that employees and volunteers use that hasn't been vetted, sanctioned, or approved by your organization. It may be a project management app that your marketing team is using because they don't like the org-wide solution. It could be a design app that your graphic design team is paying for out of their own pockets without you knowing. Or it could be the personal email account being used for organization business, to send files or board communications.
It sits in the shadows, as it were, and it can leave you open to all sorts of risks that can impact your operations.
The Risks of Shadow IT
Security
Unsanctioned technology may not conform to your organization's IT security policies. For instance, if your organization requires multi-factor authentication or manages user accounts via single sign-on, an unsanctioned app may fall outside those requirements.
Another common example is that the unauthorized tool or service is not configured appropriately for role-based access. If users are granted excess privilege, for example, they might have access to the billing management of the application, or data that is not appropriate for their role
If a staff member leaves, their user accounts for shadow IT tools may remain active because your IT staff doesn't know about it. This can leave your data more vulnerable: An old account could eventually get hacked without your knowledge.
Finally, if you have to conform to certain data security regulations like HIPAA, shadow IT may impact your ability to comply with those regulations.
Data Governance
When your data lives in unapproved systems, it becomes that much more difficult to assert your data ownership and retention policies. You don't know what data is being stored orand where it lives — or who has access to it. You don't know whether your employees are retaining the data that they're expected to, or if they're retaining data that they shouldn't.
In addition, since user accounts aren't centrally managed, it leaves the door open to data theft: Imagine an unhappy employee who retains access to data in shadow IT solutions after they leave. It's ripe for all sorts of potential abuse.
Finances
In some cases, your staff may be paying for tools and services that you aren't aware of, and those tools may end up integral to your organization's workflow. But if you aren't aware of them, you have no idea how much those solutions cost, and you can't factor them into your budget.
Business Continuity
This is a big one. First off, with shadow IT, your business processes may not be properly documented, so as staff turnover occurs, you'll lose a significant amount of institutional knowledge. And if the staff members who were managing the shadow IT systems leave, who's going to pick up for them? Will others be able to access the data? If the person paying for it stops paying, what then?
An organization built on undocumented processes and unsanctioned tools is a house of cards, and it's only a matter of time before it collapses. Your mission-critical work deserves better.
How to Prevent Shadow IT
If you manage IT for your organization, there are a few things you can do to prevent shadow IT systems from taking root.
To start, make sure you have a clear, enforceable IT acceptable use policy. Set clear boundaries for what is and isn't an appropriate use of organization-owned equipment, systems, and data. And make it clear what the repercussions are if your staff or volunteers violate it. This isn't about control; it's about making sure your data is protected and operational processes are clear in case of business continuity interruptions.
You may also find it helpful to provide your staff with a listing of all approved apps, tools, solutions, and services. That way, your team knows what tools they have at their disposal before they go searching for a solution to a workflow problem. For example, here at TechSoup, we have an internal listing of all the apps and services that we have access to, along with some use cases for each.
But don't be afraid of new things. In your acceptable use policy, you may consider carving out some process for allowing your staff members to experiment with or request new tools. If you do, set clear guidelines for when and how it may be permissible to try an unsanctioned tool (and who can approve them).
For example, you may allow staff members to tinker with new AI apps, so long as they aren't using them with any confidential or sensitive information, or using them for critical business processes.
Finally, keep an open mind! Try to establish an organizational culture where fresh thinking is encouraged, and where your staff feels like they can approach you with suggestions for new solutions to use in your work. Make it easy for staff to suggest new tools and make a business case for them.
I've Already Got a Shadow IT Problem — Now What?
If your staff is already using undocumented IT solutions, what's a nonprofit to do? A good first step is to ask your staff to come forward and disclose any unofficial tools that they're using, how they're using them, and any associated costs they may be covering. Make it clear that you aren't looking to be punitive — that you're only looking to get a handle on what's happening within your organization.
From there, you can review each product or solution to determine whether they fit into your overall technology plan and meet your needs. Remind your end-users that the IT department is there to help enable their success, not prevent it.
Need help? Our Managed IT services can help you with your longer-range tech planning. Small nonprofits may also benefit from the Virtual CTO Program, a joint initiative between TechSoup and Tech Impact to provide organizations with executive-level technology guidance. Finally, TechSoup Plus members get a free tech audit so you can get a read on gaps in your IT stack.
In the end, being responsive and building trust goes a long way toward bringing your IT out of the shadows and into the light.
Michael Enos, TechSoup's vice president of infrastructure security and compliance, contributed to this blog post.
Thumbnail photo: Shutterstock
