Although shadow IT (any IT resource used by employees or end users without the IT department’s approval or oversight) practices come with a laundry list of risks, people often insist on using them. In this edition of Tip Tuesday, we’ll look at how open communication channels are a practical counter to enforce compliance and help you maintain security and a positive relationship.
How should I approach my clients about shadow IT?
Engaging with your clients is paramount when it comes to shadow IT. After all, those unauthorized tools increase an organization’s attack surface and make them more vulnerable to threats. If you don’t prioritize this conversation with them, you’ll have a lot more work to do later on, and they’ll have more security concerns.
Of course, many of these risks also extend to your department. For one, your client’s excessive use of unauthorized hardware, software, or cloud services could lead to redundancies and noncompliance — meaning you pay more for services and breached license agreement fees. Shadow IT is responsible for up to 40 percent of departmental expenses on average.
It’s also important to remember how shadow IT can impact your regulatory compliance and information security. You could be wholly unprepared for a cybersecurity incident if your client engages in risky behaviors without your knowledge. Although it’s not a pleasant thought, it reinforces how vital a sit-down discussion is.
Why do my clients insist on using shadow IT?
As a managed service provider (MSP), it might be challenging to grasp why your clients use high-risk shadow IT practices. After all, it leads to more vulnerability for them and results in a much larger workload for you. Still, you must understand their stance if you want to make any progress.
Sometimes, your clients use shadow IT tools simply because you haven’t approved the specific software they want. Other times, it’s because there are too many for them to remember. Companies use an average of 110 separate SaaS applications — it might just be challenging for them to keep track of what you’ve authorized.
If you need help understanding your client’s viewpoints, put yourself in their shoes. Imagine if you were on a tight schedule and had to pause everything to verify your identity multiple times a day, you’d probably start to feel frustrated. Although this specific scenario is technically fictional, real people experience similar situations every day. In fact, one in six people use shadow IT practices purely because they think it speeds up their tasks.
Realistically, there’s a high likelihood your clients use shadow IT tools to streamline their workday. Even if they know the risks, they might rationalize their behavior because it makes their job easier. Although this knowledge may feel frustrating to you — considering how unsafe this attitude is — it’s invaluable.
How can I establish open communication channels?
Open communication with your clients might be challenging at first. After all, few people like to hear they’re breaking the rules and putting their company at risk. Be thoughtful of your language to make the initial confrontation more seamless. Above all else, it’s crucial to show empathy and understanding.
First, discuss why they feel using shadow IT practices is necessary. Whether they claim it’s because of the speed of your response time, or it helps them work faster, remember to be receptive. Although their statement can feel like an insult, you should view it as an opportunity to identify gaps and address their concerns.
Open discussions are ongoing. You need continuous contact to solve the root issue. Beyond your initial conversation with your client, consider restructuring your authorization process. Giving them a channel to communicate and request tool approval could make your job easier. At the very least, it helps minimize redundancies.
Can communication help minimize shadow IT risks?
Open communication between you and your clients will greatly help identify and mitigate shadow IT risks. For starters, it educates them on how dangerous their behavior is. They’ll be more likely to use approved tools exclusively if they know the true extent of the potential consequences.
Moreover, you can approach your discussion strategically if you know exactly why your clients use shadow IT practices. Insider knowledge can help you draft relevant questions and actionable solutions in advance.
Ongoing open communication makes it easier to identify future risks. After all, your clients will be more likely to use the right tools exclusively if you give them a way to ask for approval. Even if you deny their request, you’ll get insight into what shadow IT practices they might use. At the very least, you’ll better understand potential security gaps.
Truthfully, even small changes can be a big win for you. For example, getting your clients to use preapproved file-sharing applications instead of their personal ones automatically reduces the chance of information leakage and breaches significantly. Considering data compromises impacted over 400 million people in 2022, any amount of mitigation is ideal.
The final word: Open communication is crucial
Although you could probably list countless reasons why your clients shouldn’t use shadow IT practices, you’ll be much better off approaching the discussion level-headed and with an open mind. Putting yourself in the other person’s position before making approval decisions is essential. No matter how you establish communication channels, appearing trustworthy and open is important. You’ll have better success if you seem open to compromise.
Did you enjoy this month’s Tip Tuesday? Check out the others here.
Photo: AnastasiaPash / Shutterstock
This post originally appeared on Smarter MSP.