Key Points
- Shadow IT refers to the unauthorized use of IT systems for work purposes, which poses a security risk.
- MSPs should explain the risks of shadow IT to clients using plain, relatable, and accessible language to ensure a clear understanding.
- Communicate value with simple, actionable first steps. Then, explain the benefits of managing shadow IT practices to emphasize its importance.
Shadow IT occurs when employees use unauthorized applications or devices for work purposes. It may seem inconsequential, but it can introduce security threats, compliance issues, and cost inefficiencies. This article guides MSPs on how to communicate with clients about shadow IT.
What is shadow IT?
Shadow IT is the practice of using unauthorized IT systems in an organization. Ignoring these gaps can lead to serious security risks and productivity loss. Common examples of shadow IT include:
- Downloading or using unapproved software
- Sharing login credentials with unauthorized users
- Utilizing unapproved cloud services or SaaS subscriptions
- Using personal devices to access organizational files without approval
These behaviors can range from using unapproved software to accessing organizational files through personal devices. You can find more examples of Shadow IT in this post.
Get ahead of Shadow IT practices within distributed enterprise teams.
Tips for explaining shadow IT
Shadow IT is easy to understand for IT professionals. However, for those unfamiliar with industry terms, it can be a complex concept. Knowing how to explain shadow IT and its impact using plain language makes it easier for them to understand the dangers of shadow IT. Here are some tips that can help MSPs explain the concept to various stakeholders:
1. Use everyday analogies
The easiest way to explain IT concepts in an accessible and relatable manner is to use analogies that non-industry members can understand. These analogies help de-mystify the term, making the concept of shadow IT less abstract.
One way to explain shadow IT to stakeholders is by comparing it to unlocked doors or secret storage lockers. You can say, “It’s like having extra doors into your office. No one is watching, and anyone could sneak in,” or “Imagine staff using a locker without telling you. You don’t know who has the key or what’s inside. It can put your sensitive files at risk.”
In both cases, the analogies use everyday items that non-IT professionals would immediately recognize. Additionally, the analogies easily show the risk or impact of shadow IT without being dependent on industry jargon.
2. Highlight risks using real-world terms and scenarios
Telling clients that shadow IT can be dangerous is one thing; getting them to care is another. This is why MSPs should explain how shadow IT risks affect a business using clear, business language.
Here are some examples of how you can explain risks using business-related scenarios:
- The use of unsanctioned Dropbox accounts to store customer information can cause data leaks.
- Using unapproved tools can result in non-compliance, which may lead to fines.
- The IT team cannot back up or secure the use of unapproved software and applications, especially if they are undisclosed.
3. Explain why shadow IT happens
Once they understand shadow IT and its risks, clients often have follow-up questions. These questions usually include why it happens and what they should do now. Answering why it happens can be an insightful discussion, which allows you to manage shadow IT behaviors more effectively.
Reasons for the occurrence of shadow IT vary, but common causes include:
- The need for better (i.e., faster, simpler, or more efficient) tools
- Lack of approved IT solutions or slow approvals of IT-sanctioned software
- The need for specific features or functionalities lacking in approved software
Figuring out what caused shadow IT behaviors for a specific client may require looking at their IT management tools, infrastructure, and user needs and behavior.
4. Provide simple, actionable first steps
Managing shadow IT behavior is a process. Most organizations will need to continuously improve their IT asset management and processes to prevent shadow IT from occurring. As an MSP, providing actionable first steps gives you a baseline for your shadow IT management strategy.
Simple yet valuable initiatives include:
- Awareness surveys: Quick anonymous polls: “What apps do you use for work?”
- Approved alternatives: Replace Trello or Dropbox with sanctioned, supported tools.
- Clear reporting paths: Make it easy for staff to request new tools through your IT department.
5. Emphasize the benefits of managing shadow IT
Clients may be tempted to continue using shadow IT due to its perceived benefits. MSPs should explain that shadow IT tools can only provide short-term benefits.
Discuss how effective IT management can lessen shadow IT behavior and mitigate risks. Similar to how you discuss risks with clients, a good rule of thumb when talking about benefits is to relate them to the business’s specific needs. Examples include:
- Streamlined tools result in fewer apps that employees need to learn, which can lead to increased efficiency and productivity.
- Fewer shadow IT tools strengthen overall security.
- Help clients control costs by eliminating duplicate SaaS spend.
Eliminate blind spots and shadow IT risks with a robust enterprise RMM system.
Integrating NinjaOne in your shadow IT behavior management strategy
NinjaOne Endpoint Management enables MSPs to gain full visibility into IT assets and networks, which helps teams identify unapproved apps and other shadow IT behaviors across the environment. In addition, MSPs can use the data from NinjaOne to strengthen their reports to various stakeholders, regardless of IT expertise.
Communicate shadow IT risks clearly to MSP clients
By using analogies, real-world examples, and approachable solutions, MSPs can explain Shadow IT risks to clients without overwhelming them. Doing so builds trust, drives awareness, and lays the foundation for stronger governance.
Related topics:
