‘Shadow IT’ refers to the unsanctioned use of software, hardware, or other systems and services within an organization, often without the knowledge of that organization’s information technology (IT) department. Unlike standard IT infrastructure, shadow IT is not internally managed by an organization.
Shadow IT may enter an organization in different ways, but typically occurs through one of two actions:
Using an unapproved tool to access, store, or share corporate data. For instance, if an organization has exclusively approved Google Workspace for file sharing, an employee might introduce shadow IT to the company by choosing to share files via Microsoft 365.
Accessing an approved tool in an unauthorized manner. To continue the example, if an IT department has approved the use of Google Workspace through corporate-managed accounts, an employee can introduce shadow IT to the company by choosing to access Google Workspace through an unmanaged personal account instead.
Whether the adoption of shadow IT is intentional or not, it creates serious security concerns and costs. It increases the risk of data breaches, theft, and other cyber attacks, while preventing IT teams from taking crucial steps to minimize the damage those may cause.
Why do users adopt shadow IT?
Given the myriad security risks shadow IT presents, it may seem surprising that employees choose to bypass IT approval when adopting new tools. Their reasons for doing so may include the following:
Employees are unaware of the security risks inherent to shadow IT. Employees may not be deliberately trying to circumvent the controls their IT department has put in place, but simply do not know that their actions can compromise sensitive corporate data and increase the risk of data breaches and attacks.
Employees are more focused on the benefits of using unsanctioned tools. The best tools for the job may not be ones that have been explicitly approved by an organization’s IT department. This often drives employees to adopt additional services that help them meet a specific business need, gain a competitive advantage in their market, or collaborate more efficiently.
Employees are using unapproved tools to carry out malicious activities. Most shadow IT is not adopted for malicious purposes; however, some employees may choose to adopt unsanctioned applications and tools in order to steal data, access confidential information, or introduce other risks to the organization.
What are the risks of shadow IT?
While shadow IT may make some employees’ jobs easier, its drawbacks far outweigh its benefits. If IT teams cannot track how tools and services are used across their organization, they may be unaware of the extent to which shadow IT has pervaded it — and have no idea how corporate data is being accessed, stored, and transferred.
The usage of shadow IT also causes IT teams to lose control over data management and movement. When employees implement unapproved services or work within approved services via unapproved methods, they may be able to view and move sensitive data without appropriate oversight from the IT department. As a result of this lack of visibility and control, shadow IT may create additional risks, including the following:
Sensitive data may be compromised or stolen. Attackers can exploit configuration errors and vulnerabilities within cloud-hosted services, opening the door to data breaches and other cyber attacks. These attacks may be carried out without the knowledge of an IT department, especially when they target unsanctioned (and possibly unsecured) applications and tools. And remediating these attacks can be costly: in a 2020 study, IBM estimated that data breaches caused by cloud misconfigurations cost an average of $4.41 million.
Organizations may unknowingly violate data compliance laws. For organizations that need to comply with data protection regulations (e.g. the GDPR), it is imperative that they have the ability to track and control how data is processed and shared. When employees use unauthorized tools to handle sensitive data, they may inadvertently put their organization at risk of violating these laws, which can result in steep penalties and fines.
How can organizations detect and remedy shadow IT?
There are several steps an IT team can take to minimize the effects of shadow IT within their organization:
Implement shadow IT detection. Using a shadow IT discovery tool can help IT teams discover, track, and analyze all of the systems and services — both those that are approved and unapproved — that employees are currently using. Then, IT teams can create policies to allow, restrict, or block the usage of those tools as needed.
Improve risk management training for employees. Employees may not be aware of the security risks of shadow IT. Training users on best practices — not using personal email to access corporate resources, disclosing the use of any unsanctioned hardware and software, reporting data breaches, and so on — can help avoid the likelihood of data compromise or theft.
Communicate with employees about the tools they need. Employees often know what tools work best for their job, but may not feel comfortable asking for explicit approval from the IT department due to budget constraints or other concerns. Initiating those conversations and implementing a ‘no-blame’ culture (for those who may have already adopted shadow IT) can help foster a more open and safe work environment.
What is a shadow IT policy?
A shadow IT policy helps establish protocols for the adoption, approval, and management of new hardware and software within an organization. IT departments create these policies and may adapt them according to evolving security risks and the needs of the company.
Shadow IT policies are one of several necessary steps for controlling and managing systems and services within an organization, while avoiding the introduction of any unsanctioned tools. However, many organizations still have not standardized shadow IT policies; in a survey of 1,000 US IT professionals, Entrust found that 37% of respondents said their organizations lacked clear consequences for using shadow IT.