Before you can manage shadow information technology (IT), you must find it. Your remote monitoring and management (RMM) platform can help you identify it, assess its potential impact, and enforce policies to govern its use. Learn what you can do in this edition of Tip Tuesday.
I’m having trouble with shadow IT. Any advice?
You’re not alone — many managed service providers (MSPs) have trouble with unauthorized software and hardware. Experts say shadow IT and its connected security risks are back in a major way.
The challenge lies in a lack of awareness. You can’t fix what you don’t see, but understanding what it looks like can help you discover and manage it within your RMM environment.
What unauthorized technologies look like
Shadow IT is a blanket term for unapproved devices, cloud services, applications, or software used for work purposes without the IT team’s approval. It isn’t usually malicious, but it still presents a security threat.
Imagine a client makes a panicked call about a compromised user. Only then do you realize that one employee opened a free Dropbox account using their work email. Naturally, it is poorly secured, so a bad actor used it to spread a credential-harvesting PDF.
In this scenario, a single account on an unauthorized cloud service results in dozens of hours of remediation. Enabling Dropbox’s account capture and invite enforcement features would solve the problem quickly, but you’d have to pay for the monthly enterprise subscription.
The risks of unaddressed shadow IT
Unauthorized hardware and software introduce unknown security vulnerabilities, increasing the likelihood of data breaches and compliance violations. They may complicate communication, create data silos or generate operational friction, inadvertently raising support costs.
Why do my clients insist on using shadow IT?
Employees’ use of shadow IT almost always indicates a deeper issue. The company’s current technologies are likely not fulfilling their professional needs.
Understanding the “why” behind shadow IT
Employees may turn to shadow IT if unsatisfied with their company’s tools. While some quickly became fluent with remote work technology during the COVID-19 pandemic, others are still adjusting to virtual meeting technology. Employers are still figuring out how to ensure all team members feel supported.
Say your client doesn’t realize their virtual meeting software is unintuitive and laggy. Remote staff may switch to a less secure alternative, inadvertently inviting cyberattacks.
Even if they have been explicitly instructed only to use authorized tools, they may dismiss the IT team’s expertise or avoid asking for approval for fear of their request being rejected.
What can I do to get this problem under control?
Maintaining control over your client environments is possible. You can leverage your RMM platform to identify and manage shadow IT.
Managing shadow IT within your RMM
IT sprawl is common — companies use 110 software-as-a-service applications on average. If your client is experiencing uncontrolled technology expansion, managing unapproved apps and devices will be challenging. Start by making a comprehensive list of endpoints using your RMM’s network discovery tool. Then, catalog what is and isn’t allowed to identify discrepancies.
You can conduct a risk assessment to categorize known assets by their threat level. Proper due diligence requires an impact evaluation of security, cost, and business strategy.
With custom RMM scripts, you can automatically onboard new devices, giving you more control over their operation and security. Alternatively, you can streamline remediation. The platform can automatically uninstall unsanctioned software or alert users of their noncompliance.
Navigating the next steps for resolution
When you discover unapproved tools, consider it an opportunity to provide value to your clients. You can launch a strategic conversation about their technology needs to ensure their IT infrastructure remains secure and compliant.
Remember to discuss your findings carefully to avoid causing alarm. If customers reach out with concerns first, refrain from giving a doom-and-gloom response without minimizing the gravity of the situation. Work quickly on remediation while gathering actionable data to present later.
Any tips on collaborating effectively with clients?
Since many use unauthorized tools to bridge a productivity or usability gap, shadow IT can be a sensitive subject.
Here are some talking points you can use to frame your discussion:
- Do end users understand the risks of shadow IT? They may not realize that an app or personal phone can put the company at risk. Ensure they are informed.
- Is your approval process taking too long? Responding to requests may take too long, incentivizing unsanctioned use. Have client leadership preapprove requests.
- Do employees perceive the MSP as too controlling? Understanding why staff circumvent your input can help you prevent unapproved tools from proliferating.
Once you start the conversation, you can work on developing policies, training programs or approval processes. The best strategy is to make workers part of the solution, not the problem.
When collaborating, emphasize the importance of policies that balance security and business agility. Your customer may be tempted to overlook cloud services and email accounts that improve turnaround times, but you must minimize cybersecurity risks.
What if their employees keep using shadow IT?
Give staff time to adjust to the new normal. Refine your strategy as needed. Collaborate with client leadership to develop more actionable, measurable policies.
Addressing the root cause may help, but there is no guarantee employees will stick to sanctioned tools. Gartner predicts 75 percent of employees will create, acquire or modify technology outside the IT team’s visibility by 2027, up from 41 percent in 2022.
If shadow IT continues to be a persistent issue, update your service-level agreement and master service agreement. Explicitly outline that clients are fully responsible for security breaches resulting from unapproved applications, software, or hardware.
Dealing with shadow IT is an ongoing effort
You may see shadow IT reappear when business dynamics evolve or new people are hired. Keep using your RMM platform to detect, monitor and remediate. Keep client leadership in the loop so they can enforce policies on their end.
Read the Tip Tuesday series for more insights on how to better your MSP business.
Photo: Vadym Pastukh / Shutterstock
