Shadow IT: Convenient, But Not Without Risk


What is Shadow IT?

“The street finds its own uses for things” is a line from William Gibson’s cyberpunk short story Burning Chrome, and it’s often used to explain the uses of technology that are unexpected, unintended, and oftentimes unsanctioned. In Burning Chrome, the “street” was the criminal and hustler class in Gibson’s Blade Runner-esque “Sprawl” universe. An article in today’s New York Times suggests that in real life, it’s your coworkers.

Shadow IT sounds like some kind of future slang that Gibson would’ve coined, but it’s an office term referring to the set of applications and systems that are used in organizations without that organization’s approval, and especially without the approval of the IT department. It’s usually the result of one or a handful of employees discovering an application, service or system that solves a problem in a way that seems more effective, expedient, and more free of red tape than if it were solved by IT. Shadow IT usually starts off as an ad hoc solution, but if it becomes popular within an organization, its use can become standard practice, even without the approval or oversight of the IT department.

Among the applications and services that fall into the category of shadow IT are:

  • Wifi: In offices that don’t provide wifi but provide broadband access through ethernet, people bring and plug in their own wifi routers.
  • “Sneakernet”: Carrying a USB key is still the simplest, highest-bandwidth way to pass files within an office. In offices where the email server has a policy of not allowing email attachments over a specific size, sneakernet can be quite useful.
  • Email forwarding: A common trick to bypass security measures in enterprise email systems is to forward emails from a company account to a personal account for later reading.
  • File-sharing/-storage services: In situations where sneakernet won’t do, such as sharing files among people in different offices, or with remote coworkers, or to have “anytime, anywhere” access to specific files, services such as Box, Dropbox, Google Drive, SkyDrive, and YouSendIt are often used.
  • Collaboration services: When people work collaboratively on documents, passing around files often leads to those files going out of sync and the rise of different versions of the same document being passed around. In such cases, Evernote, Google Apps and the web version of Office are the preferred collaborative tools.
  • SYOD devices: SYOD is short for “smuggle your own device”, our shorthand for when people bring their own devices without IT’s knowledge or approval.
  • Text, voice and video chat: Popular “out-of-band” communications tools include Facebook, Google Chat and Skype.

Many organizations even have a shadow IT budget to cover the costs of these services. In a 2012 survey of IT managers by PriceWaterhouseCoopers, nearly half the respondents said that at least half of their corporate IT spending was on shadow IT.

Upsides and Downsides

Shadow IT is a mixed blessing for organizations. It solves a lot of problems for business workers, and relieves IT of some of their load, as they’re services that they don’t have to install, maintain or support. It also blurs the line between work and home life — what some call “life splicing” — which companies like, because it often works in their favour, getting extra work out of their employees.

One downside is that they may put the organization in violation of certain compliance guidelines, such as HIPAA or Sarbanes-Oxley.

They also increase the number of ways that organizations can lose control of their data through attacks on the servers on which the services reside. Examples include:

Mobile devices further complicate things. They’re easy to carry, but that means that they’re also easy to lose. One notable case brought up in the New York Times article is the recent loss of a mobile device assigned to an employee of Florida’s Department of Juvenile Justice. It was neither encrypted nor locked with a passcode, making the records of up to 100,000 youth and department employees accessible.

No Easy Solution

The seemingly obvious solution is simply to ban the use of non-sanctioned services. However, policy along is insufficient; Florida’s Department of Juvenile Justice had a policy specifically forbidding the storage of sensitive data on unsecured, unencrypted devices, for all the good it did them.

Solutions such as the DNS control provided by BlueCat Networks can limit access to such services. By taking control of an enterprise network’s DNS, you can restrict access to specific sites and services and lock out unauthorized devices. This protection is available as long as you’re using the enterprise network to access the internet; outside, you’re not covered.

Educating employees of the risks of such services can help, but there are always some employees you’ll never be able to reach, no matter how many sessions they attend.

People resort to shadow IT because no acceptable solutions exist within the organization. The most effective solution may be to implement a system that meets employees’ needs at least as well as outside services. This, of course, is easier said than done.

This article also appears in 'Mobilize!: The CTS Tech Blog'.


BYOD Roundup: Mobility Policies and CTS’ Mobility Policy Guidebook, Samsung Knox, Making BYOD More Appealing to Users

byod t-shirt

Create a Mobility Policy, Educate Your Employees About It, and Get Them to Sign Off On It

“Whatever your BYOD policy is,” goes the second of four tips in the PC World article When alien hardware invades: 4 keys to BYOD success. “you should define it in a written document.” It’s an important point, and one with which we agree. At my company, CTS, we recommend that you…

Create a mobility policy.

This is a written set of rules governing the use of mobile devices for work, whether the devices are owned by your organization or by your employees, and covers company-liable, COPE, BYOD and everything in between. Note that this is something you can’t do in isolation, but in consultation with your employees: not just the IT department, but also management, various business units, HR, legal and so on. You should also consider the various levels of mobility in your company: the needs of “road warriors”, who spend most of their time on the road, vs. your office core, who spend most of their time at the office (but can easily spend half their time away from their desks at meetings) differ greatly, but they both need to be accounted for. CTS has a Mobility Policy Guidebook to help you figure out what should go into your organization’s mobility policy.

Once you’ve created a mobility policy, educate your employees.

Mobility policies can sometimes be lengthy documents, and it’s all too likely that people will simply glance at at, say “I’ll read this later” and file it away in that Place Where Things Are Never Heard From Again. This is bad, especially considering that mobile technology is a new, rapidly-changing thing, and BYOD is also a new, rapidly-changing thing; it’s likely that many of your employees’ assumptions about mobile devices at work are wrong (consider the case of Amanda Stanton, whose employers remote-wiped her iPhone). Hold info sessions to explain the broad strokes of your mobility policy, and more importantly, the rationale behind the rules in the policy. CTS’ Mobility Policy Guidebook not only helps you set up the rules in your mobility policy; it also explains the rationale behind them.

Have your employees sign mobility agreements.

signing an agreementThese agreements, typically handled by HR, specify the terms and conditions by which employees agree to abide. Some organizations use a single agreement, while others break them up into documents such as:

  • a Mobile Acceptable Use Policy agreement,
  • a Mobile Remote Wipe Policy agreement,
  • and in the case where the organization helps cover part or all of an employee’s mobile bills, a Mobile Reimbursement Policy agreement.

Once again, CTS’ Mobility Policy Guidebook covers these.

Want to know more about CTS’ Mobility Policy Guidebook? Contact us at!

Samsung Knox

samsung knoxSamsung’s courtship of the enterprise market continues with the announcement of Knox, their containerization solution that lets you split your phone into two different sides: one for work, and one for the rest of your life. Each side is under a completely different “jurisdiction”, with your company’s IT department having control of the work side, while you have full control over the “rest of your life” side, free to install whatever apps you want.

Here’s an excerpt from an article on Knox written by a Samsung partner, Centrify:

…even in the case that the device itself has no unlock passcode and no corresponding security policies, the secure container of business apps on the phone cannot be accessed unless the appropriate passcode is entered. And inside the container the user is able to share data between business apps (e.g. copy and paste text from an email into a CRM record), but corporate IT would of course not want data inside the container copy-and-pasted onto a non-container app such as Twitter or Facebook — i.e. data leak prevention. And of course corporate IT should have the ability to wipe the container if the device is lost or the employee leaves the organization, but not delete music, photos, personal apps, etc. that the employee put on the phone.

Knox works on any SAFE (SAmsung For Enterprise) -certified devices. Currently, there are only two such devices: the Galaxy S III and the Galaxy Note II.

Ten Ways to make BYOD More Appealing to Users


TechRepublic have ten suggested ways to make BYOD more appealing to those users who are still a little reluctant. The full details are in the article, but we thought we’d list those ten ways in summary:

  1. Tell them that BYOD means more freedom. BYOD allows users the freedom to do their work anytime, and in any place. This means that they can be productive while on the go, whether they’re on their commute, while waiting to pick up their kids from school, or doing other things that wouldn’t be possible in the age before mobile technology. The TechRepublic article also talks about more time to use social networks, but we feel that the real benefits come from getting stuff done and not being stuck at the office.
  2. Allow longer work lunches. If employees take their devices to lunch, why not take advantage of those “any time, anywhere” capabilities and let them take longer lunches — which are often used to run mid-day errands — as long as they’re being productive.
  3. Provide software incentives. “More than likely, your company has access to software titles at lower prices than do your employees. Why not extend these prices to your employees as an added incentive for BYOD?”
  4. Allow them to take advantage of deals through hardware purchases through the company. “Similar to the software incentive, you probably can allow your employees to purchase the hardware they will use in the BYOD program through your own channels.”
  5. Give them an end-of-year bonus. “You’ve saved money by having your employees bring in their own devices. There is no reason why you can’t pass on a fraction of those savings to participating BYODers.”
  6. Offer more telecommuting opportunities. Give BYODers the opportunity to occasionally telecommute.
  7. Offer cloud storage. “If your company has the resources, offer BYOD employees an internal cloud storage option. This solves a number of problems. It allows your employees easy access to the data they need to work with and enables them to store personal data in a safe cloud environment.”
  8. Subsidize their phone plans. “For those BYODers using their personal smartphones for business, it makes sense to compensate their phone plan somewhat.” A number of organizations do this as part of their mobility policy, and we expand on this in the CTS Mobility Policy Guidebook.
  9. Give free (limited) support. A limited amount of support (say assistance getting connected to corporate resources such as email and intranet) is helpful, and keeps them productive.
  10. Tell them about the security benefits. If you can offer BYODers added security on their devices — say, through an MDM application installed as part of your BYOD program — tell them about those benefits.

This article also appears in 'Mobilize!: The CTS Mobile Tech Blog'.