Shadow IT goes home: How to reduce the risk

Look back 20 years, when IT was responsible for sourcing, licensing, configuring and managing all workplace technology. PCs were secured by locking them down so that only approved apps and features were available, and Active Directory’s group policies allowed fine-grained control over PCs. The only software allowed was what IT provided and managed. Access to large parts of the web, including social media, was blocked and there was no expectation that users would be able to (or want to) use their PCs at work to access personal data – including private email accounts. 

IT was often thought of as the department of “no” because that was usually the response when asked whether this application or that piece of hardware could be used. If something needed to be installed, it generally involved an IT staffer coming to your desk, relieving you of your PC for a time, or waiting for something to be installed automatically overnight without any notice or explanation.

With no control over applications, content or web access, most employees weren’t able to upset the apple cart – and few tried. 

[ Free download: Mobile management vendors compared ]

Then the iPhone began to rewrite the rules of enterprise computing. Workers began to find apps or cloud services to do work and install them on their mobile devices without any say from IT. At this point, IT could do little other than block those devices from accessing corporate Wi-Fi, which was a paper tiger because connectivity came with the device.

At the same time, cloud services gained influence at work and at home. With non-corporate devices came free access to services that could be purchased for a small ad hoc team or entire division. 

This is shadow IT – employees and executives working out their own personal set of tools for what they need to accomplish. 

[ Related: Is Apple’s iCloud Folder Sharing a shadow IT problem? ]

It began to look as if IT had become a utility. It kept the lights on, but wasn’t a needed partner or equal in terms of decision making. Perhaps the defining moment was when Apple announced its mobile device management (MDM) capabilities alongside iOS 4 and the original iPad. This didn’t create a tech utopia, but it did create ways to close the gap between shadow IT and corporate IT. 

Enterprise IT in the time of COVID-19

By and large, IT and shadow IT have developed a dialog about a device, its ownership, the apps and the content on it, using MDM and the broader EMM (enterprise mobility management). The results may not be perfect but there’s a grudging acceptance on both sides. Although iOS was the mobile platform in businesses for some time, Android eventually caught up in terms of enterprise capabilities. EMM platforms have even gained the capability to manage PCs, Macs and Chromebooks. 

[ Related: iOS 13: Apple’s big BYOD improvements help enterprise pros ]

Then came the coronavirus and its disruption of pretty much everything. The vast majority of workers who didn’t get laid off or furloughed are now working from home – a new experience for many. Although unintentional, we have arrived at a new normal: a worldwide proof of concept of working completely remote, long-term.

One thing that’s been amazing about the response from IT departments is that they have been able to support their workforce using existing tools and practices. Another is that IT may not be able to convince users of threats, regulations or other situations where there needs to be a hard and fast line for the good of the business. In a home environment, workers are used to managing their lives across a multi-device playing field. This is quite literally the home field and, as in sports, that means the power in the relationship is decidedly on the side of shadow IT.

IT management beyond the office

There’s a litany of questions that need to be answered, but running an audit of devices in the field and seeing where EMM policies are in place and functioning is one of the easiest parts of the equation; IT has had that capability for a decade. Indeed, most EMM suites will alert IT staff members when devices are pushed out of compliance. This could be a minor setting or it could reflect the use of malware or simply a user doing something monitored, but not blocked.  

[ Related: Apple’s Box security scare shows the risk of shadow IT ]

If devices are out of compliance, particularly if they were deliberately made so, IT has to choose how to respond. In the office, that could be a gentle reminder or simply adjusting a device back into compliance. At work, it’s easy to chat with users whose devices are being used to do things that can cause concern. But outside the office, everyday interactions that don’t require a meeting or even an email now take more effort. And reminders from IT can be ignored more easily.

This brings us to an uncomfortable moment. On the one hand, IT is responsible for much of the technology making this work-from-home experiment possible. On the other, people who are fine with desktop restrictions on a work PC may balk at allowing IT into their homes and personal devices.

This is a reasonable concern and allaying those fears is important. In some ways, the perception of IT is more important here than any technical capability. It’s important to keep in mind that one of IT’s goals should be communicating what can be done, what will be done and why. 

In most cases, the underlying issue isn’t technological. It’s cultural. It’s about having a relationship where the default reaction is trust – and that requires IT departments (and the whole organization) to operate with transparency. The more transparency, the greater the trust. 

[ Related: For device management, JAMF underpins Apple’s enterprise role ]

Doing this successfully goes beyond a lengthy agreement signed during onboarding. What must be discussed, demonstrated and reiterated constantly is that there is a wall of privacy on every device in the business – and, at times, devices well beyond it – and that IT understands how important it is to maintain that wall.

Building community and communication

IT is often isolated from much of the workforce. Becoming a known entity is a required competency here. If there are solutions like Slack in play, IT members should be consistently monitoring conversations that are gaining traction, sometimes about non-IT issues that technology might solve. If IT staff regularly do this and offer advice and suggestions, it builds a level of community. 

If, however, there is no such collaborative tool in place – or if there is, but it doesnt get used – something as simple as a weekly email newsletter can be a way to reach out and establish that connection, particularly if it includes FYI-type messages. 

These pieces aren’t directly business-related, but provide users with tips or tidbits of useful news. For example, “FYI  Apple and Google are building a contact-tracing app, thought you might like to understand that effort and why you should or shouldn’t take part” or “iOS 14 will be released on Friday, here are changes that you might want to keep in mind during and after upgrading.” These messages demystify IT and make IT staff more approachable – it engenders trust because employees can see that their IT staff has their back even when there are stringent restrictions placed on particular devices.

One of the major benefits of developing an engaged relationship as a trusted advisor is that when there’s something you actively need or want to communicate to employees, they’re likely to hear you. 

Get out the carrots, put away the sticks

It’s not uncommon for workplaces to have a range of incentives – both for and against – around the use of technologies other than what’s IT provided. While these policies were generally developed to secure business data, they often come across as punitive. Many such policies impact working out of the office and using mobile devices, cloud services and “personal” technologies. 

Although this can be effective, particularly when policies are strict to begin with and are clearly communicated, in today’s new normal they may not serve a useful purpose. Not all policies should be completely reviewed and updated in the midst of this crisis, but  a quick review of mobile and work-from-home policies is in order. Where there are requirements or behaviors that IT decides are absolute needs during the pandemic, it’s a good idea to work predominantly with positive incentives. If you’re uncertain what types of incentives to use, working with line of business managers can generate a large variety of options. 

Speaking of management beyond the help desk, it’s important to have a regular check-in with all stakeholders to ensure that remote work functions successfully. In the beginning, working with HR to establish goals, practices and metrics to implement during this time. 

One idea that works surprisingly well is an old-fashioned suggestion box. Provide a digital version that allows users to ask for policy changes or exceptions (and fully justifies them) as well as more general requests. Some questions will be non-starters, but some may extremely insightful. 

Keeping IT’s seat at the table 

As non-IT stakeholders like executives, line-of-business managers and individual teams source and implement their own solutions, there are complications and potential consequences. 

If IT is uninvolved or unaware of decisions made, the dynamic between IT and the rest of the organization is changed. This dynamic has the potential to shift budgets and procurement processes from IT to other departments. It has implications for support, should there be problems with the adopted apps and services or if they cannot integrate with enterprise systems. Decisions being made quickly in the moment or by ad hoc groups take on a powerful dimension in the current climate. 

It’s worth noting that there are some very practical advantages that IT can bring to the table. Cost savings on bulk purchases/subscriptions is a big one. Data security is another. Offering advice as a partner is one that’s huge but often overlooked. 

Moving forward in the shadows

This crisis is going to test and stretch the realities of every organization. All of this happened with little notice and the goal right now is getting arms around this mess and making changes on the fly. Stomping out shadow IT is something that most IT departments don’t have the time for and, with the right relationship, shadow IT may even prove to be an asset  as long as there is dialogue to ensure goals are aligned. 

That dialogue needs to have started yesterday because the horse is already out of the barn and this transition is one without a clear map to follow. Transparency, trust and dialog about what works and what doesn’t aren’t new concepts, but they are now vital concepts that need to be assimilated into the IT playbook.