In the first part of a two-part article (orig. planned as a single feature), Housing Technology asked Howell Technology Group and Infinity Group about housing providers’ use of shadow IT (i.e. the unsanctioned use of software/web services, usually without IT teams’ knowledge),and whether its’s a significant problem, an inconvenience or a great way of moving faster.
What is shadow IT?
Howell Technology Group’s operations director, Niall Quinn, said, “Shadow IT refers to the use of IT systems, software and applications without explicit approval from the organisation’s IT department.
“Shadow IT typically includes tools and solutions adopted by housing staff to increase their productivity or solve specific problems, but aren’t vetted or supported by the organisation’s official IT infrastructure.”
Is shadow IT a problem, an inconvenience or a great way of moving faster?
Infinity Group’s head of sales for housing, Sarah McRow, said, “The adoption of shadow IT is typically a consequence of having business systems that aren’t fit for purpose or aren’t connected to other systems.
“One of the ways we assess the state of a housing provider’s software ecosystem is to count how often the word ‘spreadsheet’ is used in any initial conversations; the more frequently it’s used, the higher the probability that formal systems aren’t delivering against the business’s needs.
“For example, one housing provider we worked with had no formal system to manage its planned maintenance so a spreadsheet was used to manage all of the works. Over time, the spreadsheet was used by more and more people and eventually became the most important ‘system’ in property services, to the extent that it was referred to as ‘The Mother’ by the entire team.”
HTG’s Quinn said, “Shadow IT can be a double-edged sword. On one hand, it can lead to significant security and compliance risks, making it a significant problem if unmanaged.
“On the other hand, it can be a great way of moving faster and fostering innovation because it allows employees to use the tools that they find most effective. The key lies in finding a balance and managing it effectively (i.e. the security vs. usability debate).”
What are the advantages of shadow IT?
Infinity’s McRow said, “In most instances, shadow IT isn’t as nefarious as the name suggests and is used with good intentions, whether that’s to deliver a better service to residents, to manage processes more efficiently or to communicate information to colleagues more effectively.”
Quinn said, “While it goes against all my cyber-security principles, there are advantages to shadow IT. Organisations may see increased agility and productivity because employees can quickly implement solutions tailored to their immediate needs, and it can foster innovation and lead to the discovery of more efficient tools and practices.
“I’ve seen some amazing PowerApps that help to gather unseen data (or data you were unaware of). Additionally, it can fill gaps in official IT infrastructures, providing functionalities that the sanctioned tools may lack.”
And what are the disadvantages of shadow IT?
Quinn said, “The obvious disadvantages include significant security risks because unsanctioned tools might not comply with the organisation’s security policies or, more importantly, legal compliance.
“Shadow IT can lead to data silos and inconsistencies, making data management and integration challenging. Shadow IT also complicates IT support and maintenance because the IT department may not be aware of all the tools being used, leading to conflicts and inefficiencies. For people involved in service management, I’m sure we all have the battle scars from support tickets for an application or system you didn’t even know existed but was apparently business-critical.”
How can housing providers mitigate the effects of shadow IT?
McRow said, “Understanding the extent of any shadow IT is the first step towards addressing the broader issues effecting the business. One housing provider used this approach to great effect when moving to a new housing management system.
“Before starting the project, the housing provider instigated a ‘spreadsheet amnesty’, where all staff were encouraged to hand over any spreadsheets that they used to manage their day-to-day work to the project team on a ‘no questions asked’ basis. The project team ended up with 200 spreadsheets; this led to greater clarity on what was actually needed from the new HMS.”
Quinn said, “First of all, you need to understand what is in your IT estate; once you know where you are, you can then plan for where you want to be. Use an RMM to compile an inventory of the apps installed on devices and use a cloud-scanning tool (e.g. Defender for Cloud) to understand what SaaS applications are being used or accessed. You won’t see everything but 80 per cent of something is better than 100 per cent of nothing.
“IT departments can mitigate the effects of shadow IT by fostering a culture of open communication and collaboration, such as implementing a flexible IT policy which allows for the evaluation and integration of new tools. Regularly educating staff about the risks of unsanctioned IT and providing them with safe, approved alternatives can also reduce the occurrence of shadow IT.
“Embracing shadow IT means acknowledging its benefits (I can imagine a sharp intake of breath from CISOs) and incorporating the most useful tools into the official IT infrastructure after proper vetting.”
Examples of good and bad shadow IT
Quinn said, “An example of ‘good’ shadow IT could be the use of a project management tool such as Trello by a team to enhance their workflow which, after evaluation, gets officially sanctioned by the IT department.
“Bad shadow IT might involve staff using unsecured file-sharing services that expose sensitive data to potential breaches and violate data protection regulations. Some questions I ask customers are: do you know where your data resides; do you know how your data is classified; and if an auditor came in tomorrow, could you articulate your data management processes and procedures?”
Housing Technology would like to thank Niall Quinn (Howell Technology Group) and Sarah McRow (Infinity Group) for their comments and editorial contributions to this article.
