How To Perform A Shadow IT Audit
by Mark Adams, on 4 Aug 2015, 14:00:00
In a previous post, I discussed how shadow IT can make your company stronger—it encourages innovation, gives you access to valuable data, and lets you analyze your employees’ personal behavior.
I also said that the only way to benefit from that information is to identify what technology your employees are seeking, and work to make the right applications available to them.
In this post, I’m going to tell you how to do that—with a shadow IT audit.
How To Perform A Shadow IT Audit
Whether your company is large or small, there are things you can do to find out what technology your employees are using without your knowledge.
You could use IT tools to perform an audit, but a lot of the information you’d get would be related to what’s happening on your company’s firewall and web proxy.
If you want to know what’s happening on your employees’ end-point devices (phones, tablets, and laptops that aren’t inside your firewall), you’ll need to implement a mobile device management system that will tell you what users are doing on their personal equipment.
Large enterprises can do this by assigning agents to each device and having those agents report back with information. Because large companies can have anywhere from 10,000-20,000 users, they usually have the money and technical resources to make this possible. But for small businesses, this wouldn’t be worth your time or money.
So you need to look at other ways of approaching an audit for shadow IT. Here are three ideas.
1. Look at the information you already have.
Believe it or not, you already have some of the information you need surrounding the applications your employees are using. To find it, look at what people are claiming on their expense reports. This will tell you what you’re paying for as a company, which will give you some valuable data around how much you’re spending on unsanctioned apps.
2. Ask people what they’re using.
Another seemingly obvious idea is to simply ask employees what they’re using and why. This could be done face-to-face, or through surveys or questionnaires. The thing you need to keep in mind with this approach is that you want to come across as being helpful, rather than intrusive or closed-minded—you don’t want employees to think you’re going to shut down their entrepreneurial activity.
If you’re going to perform a question-based shadow IT audit, try to make your questions as positive as possible:
- What applications help you do your job better?
- What applications on your devices do you find most useful?
- What applications are you using past the trial period?
3. Monitor help desk requests.
Monitoring the questions that come through your help desk or IT department can help you determine if employees are asking questions about unapproved applications or connections. Generally, questions about usability are worth taking a closer look at, because they’re common among people using unfamiliar (i.e., unapproved) applications.
The information you gather from these three steps will help you understand what apps your employees are using and why, allowing you to create a policy-driven ruleset and incorporate the right tools into your business.
Remember—it’s a two-tiered problem.
Shadow IT is a two-tiered problem: the apps you’re paying for, and the apps you aren’t. When you look at applications from this perspective, it will be easier to determine which apps are more detrimental. For example, you may not be paying for Dropbox, but it might be prevalent in your business for sharing files. Obviously the ones you pay for will be a more immediate concern.
That means you need to split the applications into different categories, the first being paid or free. Then you can break the categories down even further:
- Are they on a laptop or PC?
- Do they interact with your data or are they purely a communication tool?
- Can you attach or send files with them or not?
Categorizing the applications will help you determine which ones are serious concerns and which are less intrusive or less of a bother to your business.
Take the first step.
If you want to educate or change the behavior of your staff concerning shadow IT, the first step is to create awareness. Acknowledge the applications that are being used within your business, and identify which ones you are particularly unhappy with—then let your employees know about it. Once you’ve done that, you can follow up with a more formal audit.
If you’d like assistance performing a shadow IT audit, or if you need a better way to manage all of your company’s cloud applications, let us know—we’d love to help.