Shadow IT sounds dark and scary, but it usually refers to software or apps your employees use when they’re trying to solve a problem. The only problem is they may be using something other than the company’s pre-approved technology.
In the construction industry, shadow IT can include file storage solutions, file sharing solutions, productivity apps, collaboration apps, project management apps, messaging apps, and email services.
Why do employees turn to shadow IT? A few of the reasons include:
- They believe the company’s software is inefficient
- They believe the company’s software is ineffective
- They believe the company’s software is complicated and/or unpleasant to use
- Before being hired at your company, they previously used another software and want to continue its use
- The company’s software has become outdated
- The company’s software is incompatible with personal devices
- A competitive software has features not available on the company’s software
Just as shadow IT is not dark or scary, nor are the actors in it devious or malicious. Their underlying motivation is they want to be more efficient and effective at their job—not to mention it make their job easier to do.
Normally, you would acknowledge or reward employees who take initiatives to make work more efficient or effective. But shadow IT can pose a greater risk to your company than your employees may realize.
With shadow IT, your employees are basically wresting control from the IT department and making your company more vulnerable to cyber security threats.
The most common risks to using shadow IT include:
- Data leak
- Data loss
- Inefficiencies
- Unpatched errors
- Compliance issues
- Financial cost
Think of what would happen if a data leak resulted in your bid information being made public for competitors to see. For example, data loss could result in all your building supplier information being permanently deleted.
Imagine tradespeople entering data twice—once in their preferred IT and once in the company’s approved IT. An IT department can’t update shadow IT. This means users could be using software with unnecessary bugs that would be eliminated by updating the software.
Another example: the use of shadow IT could result in a contractor being non-compliant with submittals. Ultimately, this could result in your incurring greater financial costs, as well as putting your company at a competitive disadvantage, damaging your company’s reputation.
The construction industry is not immune to data security issues. The 2021 JBKnowledge ConTech Report found 11.6% of those surveyed reported having fallen victim to a security data breach in 2021.
The bottom line: your company owns its data, and you have to protect it. A severe data breach or data loss could risk your key business data. Even worse—sensitive corporate information could be lost, taken, or made public.
Here are seven steps to help you detect, manage, and remove shadow IT from being used by your employees.
1. Develop a Shadow IT Management Program
Your company’s shadow IT program should be in line with your company’s cyber security mandate, assuming your company has one. It should also have some flexibility to allow for growth, technological changes, and changes in behavior.
For example, the pandemic has caused many in the construction industry to work remotely. The transition to remote work is a change in behavior for many. They had to engage with tools their company either never used or rarely used, such as video conferencing software.
Your shadow IT program should also overlap with your technology acquisition goals since piloting new technologies can decrease the amount of shadow IT embraced by employees. Also, the shadow IT used by your employees could be the next technology your company adopts if management sees the value in it.
Step 1 only needs to be completed once. Step 2 should be performed continuously. And steps 3-7 are taken only when shadow IT is discovered.
2. Monitor Networks for Shadow IT
Once you begin monitoring networks for shadow IT, don’t stop. There are tools designed especially for monitoring networks.
You don’t necessarily have to prevent each non-sanctioned software or app from being used, but you should be aware of them. Remember, each one is a potential point for data leaks, data loss, inefficiencies, unpatched errors, compliance issues, and additional financial costs.
3. Discover Shadow IT
If you monitor your networks, you will eventually discover shadow IT.
According to Microsoft, IT administrators greatly underestimate the number of apps used by employees. According to the company, IT administrators believe employees use only a few dozen apps, but employees at large companies use on average more than 1,000 different apps collectively.
4. Identify the Risk Levels of the Software or App
Once you’ve found shadow IT, determine its risk potential. Answer the following questions:
- To which data does the application or software have access?
- Who published the application or software?
- How reliable and free from cyber security risks is the company?
- Do they allow third-party companies to access information?
- How reliable and free from cyber security risks is that company?
- Who (which people or departments) are using the application or software?
- How much is the application or software being used?
If the shadow IT poses no risk, it’s probably not worth censoring. Otherwise, greater evaluation is required.
5. Evaluate Compliance
Determine whether apps are certified as compliant with your organization's standards, such as HIPAA (Health Insurance Portability and Accountability Act, SOC2 (System and Organizational Control 2, and GDPR (General Data Protection Regulation).
Under GDPR, for example, organizations must process users’ personal data lawfully, fairly, and transparently. Shadow IT can allow third-party actors to access that data and compromise the company’s ability to process users’ personal data lawfully, fairly, and transparently.
6. Analyze Usage
Once you’ve flagged the apps and software that meets your company’s threshold for risk, investigate who is using it and for what purposes they are using it. Perhaps the individuals are scattered across the organization, or maybe they are all in the same department.
Analyzing usage will help you determine what steps to take next.
7. Manage Apps and Software
At this point, you have several options regarding any shadow IT that you’ve identified as posing a risk to your company. You can either completely block its use, or aspects of its use, or have a conversation with the people who are using it about why they use it.
Speaking with the people who use it can help your company evaluate potential technologies worthy of adoption by the whole organization. Or you may want to make an exemption in certain cases or for certain departments.
For example, if your project manager wishes to use a different app for reality capture that gets imported into the company’s project management software, is it a big deal? Maybe the software isn’t worthy of being ranked as sanctioned (chosen), but only as authorized (approved). This may be something you need to determine on a case-by-case business.
Typically, construction companies struggle when training their employees for IT. Only 16.2% of respondents in the JBKnowledge ConTech Report gave their company an 8 out of 10 rating for tech training.
Just as you wouldn’t let just anyone use a jackhammer or excavator without proper training, you should educate employees as to which technologies are sanctioned, authorized, and prohibited. Don’t forget to make sure they know the risks of using shadow IT and the problems it could cause.
Take a look at how Asite, a holder of the International Standard Organization (ISO) 27001 security certification—the global gold standard in information security—can help keep your construction project secure/safe. Learn more now.