SMBs should be aware that shadow IT exists in their company and they should create policies to address it. Meet Diane. She’s one of six project managers with a regional architecture firm that employs 56 people. The firm caters to about 300 customers in a two-state area, which means Diane’s plate is full. She’s juggling 10-20 active projects at any given time and usually has a dozen or more that are in the planning stages.

In June, Diane went to her IT department and asked them to provide her with a project management app that would streamline her client communications, keep all the details of a project together in one place, and would allow her to create and send reports to her superiors. The IT department did a study on the need for the requested software, determined that it wasn’t something all the project managers would use, and that the ROI on the application didn’t justify the time and expense the applications would cost. They denied the request.

Today, Diane registered for a cloud-based app that cost $29.00 per month. She then downloaded the companion app to her personal mobile phone and to her desktop. She immediately migrated all her projects to the app, and tonight when she gets home, she’ll load the application on her tablet, spend time organizing everything, and then begin tackling the to-do list provided by the application. Tomorrow, she’ll be more productive than she has been in months.

Diane’s Solution is Your Shadow IT

What Diane did – knowingly implement an application and use personal technology not approved by the IT department – is called shadow IT, and your company probably has more of it than you realize. According to Microsoft, 80 percent of employees admit to using unapproved applications for corporate purposes. And Cisco estimates that 15-25 times the number of known cloud services are purchased by employees without IT’s involvement.

By definition, shadow IT is an application or device used for corporate purposes without the knowledge or approval of the IT department. And there’s an on-going debate over whether these applications and devices lead to innovation or security risks.

Some proponents of shadow IT argue that it’s a great way for organization to try out applications and services without having to commit to a full, company-wide install of that application. Once employees have been using the application for a while, then it’s easier to determine how it fits into current workflows and how difficult it will be to encourage employee adoption.

The detractors for shadow IT argue that every unauthorized point of access to your IT capabilities is a risk. And more concerning, with as the rate people are adopting new mobile and cloud applications increases, so does the risk for those applications to contain malware, ransomware, or other harmful elements that could damage and organization or put its sensitive data at risk.

Should Your Allow Shadow IT or Not?

The list of pros and cons concerning shadow IT continues. It reduces the burden the IT department faces when dealing with physical infrastructure. Shadow IT can create data silos that impact the flow of information throughout the organization. But it also increases productivity and improves workflow processes. So, should you allow your employees to access the IT tools they’re most comfortable with or should you restrict them to the tools your IT department deems are most effective?

Answering that question isn’t easy because it really comes down to organizational culture. Is your culture one that encourages free thinking and decision making, or is it essential to your organization that everyone remain uniform in their approach to getting things done?

Regardless of which side of the fence your company falls on, shadow IT is going to happen. And you need to address it.  The best way to do that is to create acceptable use policies that outline exactly what your organizational stance is on shadow IT and then creates guidelines for how users should adopt technologies and use personal devices.

Your acceptable use policy should also include repercussions for anyone that does not adhere to the policy. Again, these repercussions will be determined by your company’s culture. But you need to have them in place.

Finally, that acceptable use policy should be communicated to all employees and should be enforced uniformly across your organization. That will require having someone to monitor the applications and devices that are accessing your network.

Shadow IT could be the best thing to happen to your company or a threat you don’t want to deal with. Either way, you need to have policies in place to deal with that are communicated and enforced. Then, no matter what your stance is on the issue, your company remains protected from outside threats.