How to avoid shadow IT when your communication tools fail
Reading time: 5 minutes
When the primary communication platform fails, staff often resort to personal accounts and improvised workarounds – so-called ‘shadow IT’. This ill-considered pragmatism poses risks to your organisation’s security and reputation. In our article, you will learn what the practical dangers of shadow IT are and why reliable emergency communication is a fundamental prerequisite for business continuity and reputation.
Damage to reputation: The most lasting effect is felt by the recipient
In a crisis situation, the recipients of the communication suffer damage that is often overlooked in the heat of the moment. It is worth shifting perspective: a business partner receives a message from an unknown private email address, accompanied by a request to return confidential contract documents to that very address.
How is he supposed to assess its authenticity? What will they make of this strategy? And what consequences will this have for the future business relationship? At best, the process appears disorganised and unprofessional. At worst, it resembles the very type of fraud that their own IT department regularly warns them about.
Every message improvised in this way conveys an unspoken message: this company does not have its processes under control. And this, of all times, during a crisis – precisely when customers, partners and authorities are scrutinising matters particularly closely and reliability is of the utmost importance. Trust that has been built up over many years suffers measurable damage at such moments.
Communicating confidently despite a system failure
A system failure scenario can also be approached differently: The primary communication tool has also failed, but staff communicate via a familiar and recognisable business address using their own company domain.
The key element is the use of a standardised, organisation-wide communication platform and the company’s own domain. A company’s own domain can be technically verified, it forms part of the brand and acts as an anchor of trust in external communications. Those who continue to communicate under their own name during an outage do not merely appear professional in spite of the crisis, but are all the more convincing precisely because of their confident handling of it.
How to recognise a reliable emergency solution
A prerequisite for communicating without losing trust in an emergency is a secondary communication platform that can be deployed immediately. Three characteristics determine whether such a solution will hold up in an emergency or whether it itself becomes a risk:
1. Complete independence from the primary infrastructure
An emergency solution operated on the same infrastructure or by the same provider as the primary IT system is highly likely to fail alongside it in an emergency. A ‘backup mailbox’ as an additional tenant within the same system does not provide a robust solution.
True independence means separate infrastructure and an independent operator. The secondary communication platform must not depend on the very system whose failure it is intended to compensate for. Only this consistent separation creates a resilient fallback option and thus a viable component of Business Continuity Management (BCM).
Business Continuity Plan in accordance with BSI Standard 200-4
2. Verified reliability in information security and data protection
In an incident, an emergency platform processes the most sensitive data of all, such as ongoing customer communications, contracts or internal coordination under time pressure. It would be negligent, in this context of all things, to rely on a solution whose security level is merely claimed.
Verified reliability therefore means: confirmed by independent third parties, not merely assured by the provider. Recognised evidence such as the BSI C5 certificate or ISO 27001 certification demonstrates that information security is implemented in accordance with defined standards and is subject to external audits. In data protection, what counts is demonstrable GDPR compliance, including transparent statements about where and under which legislation data is processed.
This aspect not only provides technical protection but also delivers evidence that you can present to customers and partners. In the wake of NIS-2, robust security evidence is increasingly being demanded throughout the supply chain, even by companies that are not themselves subject to their national NIS-2 Implementation Acts. Verified reliability and business continuity are thus becoming a competitive advantage.
3. Digital sovereignty as a strategic prerequisite
An emergency solution should reduce dependencies, not create new ones. Anyone who, in an emergency, switches to a platform subject to a foreign jurisdiction – where data flows remain opaque or the terms of use can change at any time – is merely replacing one risk with another.
Digital sovereignty means retaining control over one’s own communications. Essential to digital sovereignty are hosting exclusively in Germany or the EU, data processing verifiably in accordance with European law only, open standards rather than vendor lock-in, and an operator that refrains from advertising, tracking and the monetisation of data.
Particularly when, during a crisis, so much lies beyond one’s own control, at least the emergency channel must remain entirely in one’s own hands. In the current debate on technological independence, digital sovereignty has long since become a strategic criterion.
Conclusion: Proactive planning means professionalism and resilience
Resorting to shadow IT is, in principle, an understandable response in emergency situations. So offer your staff a better, reputable, secure and reliable alternative.
Those who have a contingency communication plan in place protect two things at once: data and reputation. Reliability and composure in a crisis are the result of thorough preparation. And this becomes immediately apparent at the crucial moment: in every message that remains professional and trustworthy even if the primary platform fails.
How can your business remain operational in an emergency?