While responding to emails at work one day, Jacob, a lab tech at a small biotech start-up, becomes frustrated with the email client his organization provides. He decides to install a different one on his computer. “It’s completely open source,” he reasons, “so it’s not like there’s any malicious code hidden inside. Other people have already checked it out.”

Days later, ransomware cripples the start-up by encrypting all its data and leaving an ominous message on every workstation connected to the intranet: unless the company pays a few hundred Bitcoin, all its data will be wiped.

Advanced Lab Management Certificate

The Advanced Lab Management certificate is more than training—it’s a professional advantage.

Gain critical skills and IACET-approved CEUs that make a measurable difference.

The ensuing investigation traces the attack back to an exploit found in a code library used in Jacob’s alternative email client. As it turns out, a sly contributor to the library’s codebase has slipped in malicious code that allowed them access to any computer running that particular version of the library.

If this sounds familiar, attacks like these have happened before. In 2021, a vulnerability now known as Log4Shell was found in a Java library, allowing attackers to run “virtually any code they wanted on affected systems.”

Jacob’s use of the unapproved email client is what’s known as shadow IT. Shadow IT is, unfortunately, a common phenomenon, and it may even be happening in your lab—but addressing it effectively goes beyond technical safeguards.

What is shadow IT?

Shadow IT occurs when end users roll out their own software or hardware outside the purview of the organization’s IT department. While some organizations have bring-your-own-device policies, most mandate that employees use only the resources that are vetted and provided by the IT department.

The issue with shadow IT is that it often compromises the organization’s computer security, potentially leading to malware, data breaches, and other adverse consequences. While IT is not under your purview as a lab manager, unapproved software does fall under your watch. If someone on your team uses unapproved software or hardware that results in an incident, you may be held responsible.

How can shadow IT impact your lab?

Shadow IT is problematic because it can introduce vulnerabilities in an otherwise controlled environment, thereby putting the organization’s cybersecurity—and potentially sensitive information—at risk. In regulated environments, shadow IT can even lead to an organization being out of compliance if data is improperly handled within an unapproved application. In short, shadow IT is “subject to basic security blunders,” says Stefan Lüders, chief information security officer at CERN, in an interview with Lab Manager. 

He explains that instead of using resources to protect the services already provided by IT, shadow IT demands that additional resources be spent to also secure those once they’re uncovered—assuming, of course, the unapproved applications aren’t just shut down by IT, which has the effect of leaving staff frustrated because they feel their needs are not being met.

Addressing shadow IT in your lab

Ultimately, shadow IT is a cultural problem as much as it is a technical problem. Users roll out rogue software and hardware when two conditions are met:

1. They feel the officially endorsed products don’t meet their needs.
2. They feel they will not gain approval to use their preferred application.

Now, the answer isn’t necessarily to have IT bring the hammer down on lab staff. That’s approaching the situation as a technical problem. Ultimately, you’ll need to approach this as a cultural problem:

1. When you discover that staff are using unapproved software or devices, engage with them to find out why. Why are the official solutions insufficient? Sometimes, there may not be an approved program that addresses the user’s need at all. Other times, it may address the need but have a poor UX, instability, or another issue that sparks frustration.
2. Once you understand the user’s needs and why current offerings don’t address them, you’ll need to build a business case to gain approval for them to use the alternative software. This case must demonstrate that the software will have a larger positive impact on productivity and morale than the existing option and is not prohibitively expensive.
3. Present this business case to your organization’s director of IT or equivalent stakeholder. They will likely vet the program themselves to determine if the proposed solution aligns with the organization’s security policies. If it does, you may be able to secure formal approval to use that software.

It’s important to note that IT staff are your teammates, not your adversaries. They want you to have the tools you need to do the job to the best of your ability. At CERN, Lüders does his best to accommodate the underlying issues that lead to shadow IT. “We do try to detect shadow IT within CERN early, and [then] we either design the appropriate security measures for those IT systems, or—more ideally—identify the underlying need and (try to) cover that need with services [already provided].” Sometimes, Lüders continues, the need is absorbed by CERN’s IT department and results in a new IT service.

Shadow IT can cause friction between your lab and IT—but it doesn’t have to. By considering the needs of all stakeholders and acting as a liaison between your lab and IT, you can often arrive at a solution that satisfies all involved.