Turning the tide: how the public sector can win the battle against shadow IT

Written by Julian Cook on 2 June 2017 in Opinion

Tackling shadow IT should be an urgent priority for government in the wake of the WannaCry breach on the NHS, says Julian Cook.

Shadow IT practices show up deficiencies in existing information management  - Photo credit: Ole Spata/DPA/Press Association Images

Like many private sector businesses, organisations in the public sector are experiencing problems posed by the practice known as shadow IT.

This term denotes the use of IT systems and software inside organisations without explicit approval, which leaves those bodies vulnerable to security breaches.

With the recent NHS data breach in mind, cybersecurity issues are very much a current concern for the public sector.

According to a survey conducted by Vanson Bourne, shadow IT is rife in the public sector, with 33% of respondents saying that employees at their organisation regularly disregard corporate guidelines by using personal devices and file sync-and-share applications at work.

It is a widespread issue, and one that needs urgent action.

To combat shadow IT and reduce the risk of costly data breaches, public sector organisations need to seize the initiative across a number of fronts.

These include educating employees on the dangers, enforcing clearer IT usage policies and understanding the deficiencies in information management procedures that drive employees to shadow IT in the first place.

What is Shadow IT?

With many employees now accessing work resources on their own devices, and the availability of a plethora of software applications designed to make people more productive, unsanctioned IT practices are becoming increasingly commonplace.

Indeed, Vanson Bourne’s research revealed that 32% of public sector IT decision-makers stated that their employees used personal cloud services without the knowledge or approval of the IT department.

Inherent risk

The rapid rise of shadow IT is giving decision-makers major headaches, and the biggest concern for IT departments is the potential security threat that lurks.

The use of unauthorised devices and apps by employees often goes unnoticed and unmonitored and, as a result, many organisations are facing the negative consequences of these unsanctioned behaviours.

These risks range from a loss of control of documents, to data loss, non-compliance issues and information security breaches.

According to the survey, 31% of respondents had experienced at least one security breach in the past year due to unauthorised employee use of personal file sync-and-share solutions at work.

With the General Data Protection Regulation (GDPR) coming into force next year, and with it the danger of heavy fines for non-compliance, it is critical that organisations maintain control and visibility of their documents and information-handling practices.

Confronting the dangers

To combat Shadow IT, public sector organisations need to tackle the issues from several different angles.

The first area is one that can be addressed by IT departments almost immediately. IT decision-makers need to review their current policies on the use of personal devices and file sync-and-share apps (if a policy exists), and make any necessary changes so that usage of these devices and apps are strictly governed.

By implementing and regularly enforcing such a policy, IT departments can communicate to staff the impact of not adhering to these guidelines, and how this could negatively affect the organisation.

The second area involves understanding what drives employees to embrace unsanctioned practices in the first instance. Human beings are naturally inclined to gravitate towards the easiest way of getting their work done, and the use of personal devices and applications in the workplace is no different.

While it is difficult to pry employees away from devices and applications with which they are familiar, these practices point to the fact that the needs of employees are not being met by the IT solutions currently available to them.

In most cases, this is due to deficiencies in existing information management solutions and approaches, or that no such solutions are in place at all. This, in effect, is the root cause of Shadow IT.

One way to address this issue is for public sector organisations to look at how simple-to-use enterprise content management (ECM) solutions can make a difference.

ECM solutions allow organisations to intuitively store, archive and manage information based on what it is, rather than where it stored.

This eliminates the need for traditional folder-based file structures, which are often a source of exasperation for employees looking to find, access and edit the correct documents.

By making this process much more straightforward, employees will be less inclined to turn to unsanctioned apps and practices in the pursuit of greater efficiency.

Turning the tide

Because IT solutions are often unfit for purpose, shadow IT has been allowed to creep into IT practices at public sector organisations.

The key to dealing with shadow IT is finding a way for information management processes to become as convenient and the solutions employees use in their personal lives.

If these challenges are tackled, the public sector stands a much better chance of avoiding another data breach like the one experienced by the NHS.

Julian Cook is vice president of UK business at supplier M-Files

Share this page



Please login to post a comment or register for a free account.


Mr M Tackley (not verified)

Submitted on 21 June, 2017 - 08:20
Policy enforcement should be second on the list after staff engagement. IT policies are often diametrically opposed to user experience, so engaging the workforce to understand what they need to be effective in their roles should take precedence to a 'ban them all' approach. A more effective way to reduce the proliferation of shadow IT is for Finance Departments to strip all departmental IT and manage centrally through IT. This encourages better staff engagement and outcome based, business case-led projects that addresses the needs of those staff directly.

Related Articles

Interview: CDDO chief Lee Devlin on the ‘move from being disruptive to collaborative’
23 May 2023

In the first of a series of exclusive interviews, the head of government’s ‘Digital HQ’ talks to PublicTechnology about the Central Digital and Data Office’s work to unlock £8bn...

Ex-intelligence chief ‘appalled’ at ministers’ use of private messages
1 June 2023

Former GCHQ and Home Office leader David Omand expresses disapproval of use of WhatsApp and other platforms for government business

HMRC finds strong support for online Child Benefit claims – but ‘digital by default’ would cause problems for one in five users
17 May 2023

Department publishes findings of study conducted ahead of planned digitisation initiative

Government urged to update product safety standards for internet age
15 May 2023

Parliamentary committee laments pace of progress so far in changing rules

Related Sponsored Articles

Proactive defence: A new take on cyber security
16 May 2023

The traditional reactive approach to cybersecurity, which involves responding to attacks after they have occurred, is no longer sufficient. Murielle Gonzalez reports on a webinar looking at...