Teaching Users to Practice “Safe IT”

Written by

The rapid growth of shadow IT has caught many organizations by surprise. A typical organization will have around 730 applications of which IT is not aware, and this could well be thousands in a large organization.

The subversion of IT by users introducing applications, which are not formally provided by IT - whether deliberate or accidental - presents a management and support challenge to the IT department and a potential security risk to the organization as a whole.

However, before we crack down on everything that is not ‘official’, we need to take a step back and consider the reasons for the introduction of these applications. What are users telling us and how should we respond? 

Shadow IT can perform a useful function, acting as a compass to show where the IT function needs to innovate. Users do not come into work to be subversive; they simply want the tools they need to do a good job. If the existing IT infrastructure is not providing what they need to solve a problem or be more productive, they will look for alternatives.

They have become used to consuming applications at the touch of a button; we can hardly blame them if they bring the same approach to work. Similarly, they want to use the same shiny, responsive equipment that they have at home, so if what you provide is inferior they may bring in alternatives.


Shadow IT can be symptomatic of a much deeper problem within your organization. To quote Jack Welch, former CEO of General Electric: “If the rate of change on the outside exceeds the rate of change on the inside, the end is in sight.”

The IT department needs to keep up with market developments so the organization remains competitive, but it does not have a monopoly on innovation and users may be better placed to identify what is needed in their area.

This does not mean we should simply tolerate Shadow IT. Bringing in unknown applications creates significant security risks. While something may look very professional on the surface in an app store or on a website, the quality of code is unlikely to be up to Tier 1 vendor standards, as most developers cannot afford to invest the same time and resources.

In my experience, some of the nicest looking applications can be the most insecure, while others have been exploited as a point of malware ingress or egress of data and IP in a number of high profile attacks.


Other risks arise through use of SaaS and cloud. If a user has the same password for both a corporate application and the one they have introduced, the risks of data leaking out are clear, and create a security and reputational risk to the organization.

Running an application within a business environment creates an illusion of security, but cloud applications tunnel through the firewall and offer a potential entry route for malicious attacks and egress for IP and data. Unsupported applications can even inadvertently become part of a business process, which can quickly lead to the organization failing a quality audit.


It is up to the IT department to assess the risks and come up with realistic, workable solutions. If a fire door in an office is too difficult to open, people simply prop it open. Similarly, if the IT department makes life too difficult or does not provide the right tools, people will circumvent them. This is sometimes illustrated by individuals who find it too difficult to access company Wi-Fi from their tablet, so bring in their own Wi-Fi router, completely bypassing their company's security.

We can take three simple steps to manage shadow IT. First, educate users about the risks to the business and, ultimately, to their job. Second, have clear policies and ensure users understand them. There is no point beating people up if the app they’re using doesn’t involve company data. We should categorize data and clearly explain what can and can’t be done and the risks involved – then clamp down hard on those who do not comply. Third, take advantage of tools which provide clear situational awareness of what users are using so you can make an informed decision about what action to take and offer workable solutions, such as centralized identity management.

The role of today’s IT department is to provide tools, advice and governance – teaching our users to practice ‘safe IT’ and come to us for advice. If they don’t feel comfortable talking to IT, the situation will only get worse. Shadow IT is not going to go away, so use it as a compass to show where innovation is needed and ensure your organization remains both competitive and safe.

What’s hot on Infosecurity Magazine?