Experts warn of growth of 'shadow IT' use outside IT department control

Industry experts have warned of an increase in unauthorised IT systems within organisations as IT departments fail to keep pace with employees' technology demands and the consumerisation of IT.

Industry experts have warned of an increase in unauthorised IT systems within organisations as IT departments fail to keep pace with employees' technology demands and the consumerisation of IT.

Speaking at an event organised by Vodafone Global Enterprise, Sukhi Gill, HP enterprise services chief technologist for Europe, said there has been an increase of "shadow IT", whereby employees are working around IT departments and company security policies to access corporate data using consumer mobile applications and cloud-based services on personal devices.

Gill said enterprises are falling behind employee demand: "CIOs are not getting money from the board, there is a backlog of projects and consumers are blaming devices."

He added that enterprises need to rewrite legacy applications beyond e-mail clients to make them more like a consumer experience. But legal considerations still act as a barrier.

Legal complications stall mobilisation



HP's legal department is grappling with who is liable if a corporate network is compromised via an employee-owned device.

"The legal department is blaming the end user for corporate downtime and still trying to decide what contract to make them sign," said Gill.

While contractual issues are yet to be resolved, Gill advises companies to accept that consumerisation of IT has happened and to start trials of mobilising some non-core applications, such as giving field workers access to some corporate data and services.

IT departments must work with users



Nicholas McQuire, research director for Europe in enterprise mobility at analyst IDC, said customer-facing mobile apps are a priority for many businesses, forcing some marketing departments to hire app designers to develop products, "flying under the radar of the IT department" and bypassing IT governance.

This means IT departments need to work more closely with users to protect sensitive data.





"The key performance indicators (KPIs) for IT used to be measured by availability. There is a transition going on. Equally there will be performance-based measurement around how users perform," he said.

McQuire said companies must segment applications before upgrading to new operating systems, such as Windows 7, to decide what applications should be mobilised and which need to be secured to protect data.

Making mobile technology work for the business



Paul Domnick, CIO at law firm Freshfields Bruckhaus Deringer, said companies have focused attention on protecting infrastructure and systems instead of sensitive data. "The elephant in the room is the need to protect data on multiple platforms at the same time to allow the technology to be exploited," he said.

Despite being generally "scared" of deploying mobile apps, Freshfields has recently enabled a remote time-recording app to allow lawyers to record their working hours more easily.

The company also started using enterprise social network, Yammer two years ago in a pilot with 12 IT staff. The IT department was forced to prevent attachments as the user base grew rapidly to 56. Now a quarter of the firm uses the tool for sharing news, company knowledge and even mobile app recommendations.

While Domnick believes platforms such as Yammer allow employees to self-support devices to an extent, the proliferation of personal consumer devices will have an impact on support resources.

"At some point, the firm is expecting something like Apple's Genius Bar, perhaps in the form of video support," said Domnick.

But beyond the firm's spend on IT people, Domnick said his biggest spend is on security hardware, software and networks.

Educate staff about mobile security risks



Bryan Littlefair, global chief information security officer at Vodafone Group, said companies have a responsibility to educate employees about security risks to allow personal mobile devices to be supported.

But he believes there should be a shift to protect data rather than individual devices. "Security professionals need to accept being at the losing end of argument and start rolling out enterprise mobility programmes," Littlefair said.



Tips for supporting mobile devices


Nicholas McQuire, research director for Europe in enterprise mobility at analyst IDC, gives four tips for moving towards supporting employee-owned mobile devices

  1. Accept the notion of risk. When working with frameworks to allow employees to bring their own devices into workplace, it comes down to managing risk. You need the right management tools to give visibility.
  2. Ask where the company wants to be in three years' time? What is driving the IT strategy? Mobile devices must fit into that.
  3. Analyse the user base and decide who should get what.
  4. Start small. As a starting point, look at user groups and target certain tasks and apps that are non-core to move to mobile devices.







Register with Computer Weekly to download more information on mobile technology in the enterprise:

Read more on IT risk management

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Shadow IT can cause more harm than the conventional corporate IT. We mustn’t ignore the fact that today’s employees are far technologically advanced than they used to be. Sometimes when they face restrictions posed by the conventional IT managers, they tend to take IT matters into hands and operate outside the purview and control of corporate IT.