Identifying, preventing and mitigating the effects of shadow IT activities can add unplanned costs. Savvy CIOs understand the importance of proactively searching out unauthorized and rogue IT activities to maintain a smooth-running IT shop.
Not all shadow IT activity causes problems, but it has that potential. CIOs and IT leaders can identify a surprising number of costs, especially those associated with identifying the activity, mitigating it, and dealing with the employee fallout and business performance issues that can result.
Here are some potential costs of shadow IT.
Dealing with shadow IT employees. Companies may need to spend money, time and resources dealing with suspected shadow IT users.
Retaining legal expertise to address shadow IT-associated people issues. For example, retaining legal counsel with expertise in IT operational litigation falls into this category.
Prosecuting employees. If company policy mandates termination due to a security issue, for example, a company may incur legal costs if an employee fights a termination.
Business and process issues
Addressing disrupted IT operations. Companies may need technology to identify shadow IT, along with resources to recover affected production systems.
Addressing mission-critical systems and processes. If shadow IT affects specific mission-critical systems, companies will need to remediate and relaunch those systems.
Dealing with lost productivity. Lost productivity costs could be significant, particularly if shadow IT disrupts IT operations. Once the IT team identifies lost productivity, reestablishing a "business as usual" state could be a resource- and cost-intensive process.
Hiring external tech expertise. Companies may require external support -- such as vendors and consultants -- if shadow IT causes significant disruption.
Addressing compliance irregularities. Regulated organizations or those that must comply with specific regulations, such as HIPAA, the Gramm-Leach-Bliley Act or the Sarbanes-Oxley Act, could face legal and financial penalties if shadow IT causes noncompliance.
Paying higher business insurance premiums. Claims associated with shadow IT activities may increase business insurance (e.g., liability, loss of assets) premiums.
Repairing reputational damage. Never an easy issue to compute in terms of financial impact, organizations can address reputational damage using companies that specialize in protecting and repairing the way in which the public and other stakeholders view the organization.
Technology and facilities operations
Buying specialized technology. Various systems are available that can identify and track suspicious IT activities in a firm's technology infrastructure. IT can source these through internet searches and in some cases through vendors, such as cloud service firms. Companies may also need additional software licenses, maintenance, patching and vendor technical staff as a result of shadow IT damages and efforts to deal with them.
Dismantling shadow IT activities. Once technology teams identify egregious shadow IT activities, they need to shut down activity as soon as possible, or perhaps move into an operating environment securely firewalled from other IT production systems, depending on company policy.
Reconfiguring disrupted or compromised network resources. Reconfiguring affected network routing and termination points can be costly and can include repairing or replacing servers, switches, routers, power systems and other assets.
Addressing data center infrastructures issues. Organizations with large data centers must proactively ensure the integrity of those centers. More critically, they must address disruptions to physical security systems as quickly as possible to prevent unauthorized access. Hiring vendors and consultants may also be a part of this.
In addition to all of the costs mentioned above, shadow IT opens up vulnerabilities and increases the likelihood of ransomware costs and other information security issues.
About the author
Paul Kirvan is an independent consultant/IT auditor and technical writer, editor and educator with more than 25 years of experience in business continuity, disaster recovery, security, enterprise risk management, telecom/IT auditing and over 30 years of experience in technical writing/editing, technical training and public speaking.