What Is Shadow IT?

How does shadow IT work?

In a typical IT environment, employees only use approved devices and applications, connect to company networks and resources using secure protocols and follow required security procedures including the use of virtual private networks (VPNs).

In a shadow IT environment, employees may supplement their use of official hardware, software and applications with open source or freeware they’ve found themselves or gotten from other employees. They may also use their own devices like personal laptops and smartphones to do their work.

One of the primary reasons is because they want a sense of ownership over their computing environment and want to feel they are selecting the applications that work best for them. A study conducted by Osterman Research and reported in Security magazine determined that the vast majority of enterprise employees (92%) say they want “full control” over the software applications they use for work, and more than half (51%) say they use their applications of choice even when those applications are specifically prohibited by their company. Many respondents viewed the IT department as an obstacle, with (52%) saying they want the IT department to “get out of their way.”

What are the most common shadow IT applications?

There are hundreds of examples of shadow IT, as applications and personal devices that an employee uses for work without the permission of their IT department can be considered shadow IT.

• An organization may use a server-based email platform, but users have learned how to use web-based email as their email interface.
• In organizations that don’t have modern shared workspace solutions, applications (e.g.Google Docs) are often used for document collaboration and sharing without official approval.
• File storage and sharing applications like Google Drive, Dropbox and Box are often more convenient than company-approved servers
• The instant messaging platform Slack often finds a shadow IT foothold in organizations, where its use is driven by employee choice before it becomes an officially recognized application
• Employees rely on the use of personal USB flash drives to quickly and easily store and transfer work-related data.
• Productivity, to-do list and project management apps like Trello and Asana are often adopted before they have been approved, either for individual or team use
• Employees may use messaging apps like WhatsApp that provide more functionality than basic text messaging.
• Calendar and scheduling apps that connect to the organization’s servers and provide additional functionality beyond the official calendar app are considered shadow IT.
• Communication tools such as Skype and Google Meet provide quick and easy ways to chat without having to go through an organization’s dedicated communication infrastructure.
• Use of personal laptops, tablets and smartphones (the phenomenon of BYOD, or “bring your own device”) also constitutes shadow IT, especially when those devices are used for work purposes without following company protocols.

What is shadow data?

There are a variety of definitions around “shadow data,” including dark data. The simplest definition, however, is any data that is created as a result of using shadow IT applications. Some examples include:

• Databases created in Google Sheets that are kept separate from the organization’s larger data stores
• File stores maintained on third-party storage and sharing sites.
• Email exchanges conducted outside of official email channels.
• Text message exchanges conducted on unofficial applications.
• Any information exchanged on a non-official channel that may be subject to regulation.

Shadow data is a challenge for IT teams as well as the organization as a whole because it can’t be found and identified. It also may contain business-critical information that is not available to the organization, opening the door to regulatory compliance violations.

How does shadow IT relate to cloud computing?

The rise of shadow IT is closely related to the rise of cloud computing because the majority of shadow IT applications are cloud applications. The public cloud and software-as-a-service (SaaS) applications have made the distribution of software into a near-instantaneous activity. New and innovative applications are usually launched in the cloud, often replacing installed applications.

Cloud computing is not responsible for the rise in shadow IT, but the most common applications on the shadow IT list are overwhelmingly cloud services. Because of their ease of use and quick implementation, employees are also more likely to try cloud-based applications, thus giving rise to the importance of cloud security.

What are the benefits of shadow IT and why do people use it?

Employees usually turn to shadow IT because they have an IT need and the tool isn’t available from their organization; getting the need met would take too long or cost too much; or they would be prohibited from using the tool they want. While shadow IT comes with a set of risks, allowing employees or teams to select their own software has potential benefits to the user, including:

Speed: No matter how responsive an organization’s IT department is, the process of proposing, vetting, selecting, approving and implementing a new software or hardware tool takes time. If a shadow version is available, an employee can often be up and running in not much more time than it takes to download the application.

Flexibility: To stay competitive, organizations need to be agile and able to adapt their tools and processes to keep pace with rapidly changing business needs and industry trends. This includes the ability to pivot quickly and use tools that are intuitive, user-friendly and less complex.

Reduced cost: Often organizations will select enterprise-grade applications, despite inherent cost, because they meet certain selection criteria, which could include security features and scalability. Even when an enterprise-grade solution is available for employees, associated costs will likely be charged to the associated department, making a free solution appear more attractive.

Efficiency: Large organizations may have distribution hubs where employees can download approved software, but for employees in many organizations, the process of installing and getting licenses for even approved software can make the efficiency of self-service shadow IT solutions more appealing.

User experience: Employees are often drawn to shadow IT solutions that have a more engaging UX, even if the software and cloud services don’t fully meet organizational requirements. Free drag-and-drop file sharing applications like Dropbox and Box were some of the most common early instances of shadow IT, as people found that they were easier to use than approved company file transfer protocol (FTP) software. Gmail, the instant messaging platform Slack and the video conferencing tool Zoom were often adopted unofficially first and then eventually became approved due to user demand.

BYOD: Shadow IT extends beyond software to the phenomenon of “bring your own device” (BYOD), where employees use their own computers, tablets, smartphones, storage and other personal devices for work. Larger organizations will usually allow employees to use their own devices if they follow company policies, but it’s not uncommon for employees to use those same devices for creating, sharing and storing business-critical information as well as connecting to the company network without appropriate safeguards.

Why is shadow IT a problem for enterprises?

Shadow IT creates significant problems for organizations, from pockets of inefficiency to wasted money to increased security vulnerabilities. Here are the main challenges.

Compliance: Many federal and state laws as well as business protocols require that organizations be able to adhere to compliance regulations such as PCI, GDPR and others. But when organizations use a variety of tools, solutions and practices — leading to data held in multiple applications and locations — it becomes nearly impossible to provide an audit trail, running the risk of noncompliance.

Security risks: Shadow IT creates significant cybersecurity risks that can compromise security posture, which we’ll explore in more detail.

Duplicate effort and cost: Shadow IT leads to wasted time, money and effort by spending money on software to fulfill needs that can already be met by existing solutions. And while the time and effort non-IT employees spend installing and maintaining shadow IT applications may not be much on a per-person basis, it does add up

Inconsistency: Regardless of what type of program you consider, whether a spreadsheet or email front end, there are consistencies enabled by the use of one approved solution — which are often lost when differing or disparate applications are used. Errors that arise from lack of consistency and context can often go undetected and even promulgate, making them harder to correct down the line

Inefficiency: Individuals and teams going against IT policy to use their own solutions often leads to inefficiencies, generally because it’s still necessary to use the official applications and IT systems from time to time. Employees find themselves using both the shadow IT solution and the approved solution, often transferring information from one to the other.

Opportunity cost of data: Data is often considered an organization’s most valuable asset, especially in the ability to power business decisions when using an advanced business analytics solution or data platform. If data from multiple sources is spread across multiple systems, then the opportunity to aggregate that data and gain insight from it is lost.

What are some cybersecurity risks of shadow IT?

Increased attack surface: By their very nature, cloud-based applications — which make up the majority of shadow IT instances — are outside of an organization's firewall and are not protected by the security protocols established and enforced by the IT department. When employees use unsanctioned SaaS applications, not only are they exposing sensitive data and processes to data loss, data breaches and other potential threats, they are significantly increasing the areas where cyber attackers can find access into your organization's networks.

Not governed by policies and procedures: Shadow IT applications are not governed by your organization's policies and procedures and are thus subject to lack of visibility and other challenges. For example, your corporate IT department likely requires you to change your password on a regular basis and comply with password rules. Shadow IT applications may have password guidelines, but are unlikely to have the same stringent rules enforced by an organization.

Insecure data transfer and storage: Shadow IT applications likely do not have the same level of data encryption and authentication that enterprise applications do, making their data more vulnerable to theft. Furthermore, employees who create a shadow IT instance may leave the organization, crippling workflows and stranding data in the software that other employees cannot access.

What steps can you take to protect yourself from shadow IT risks?

Most IT experts agree that no matter what steps organizations take, there will always be some instances of shadow IT. Therefore, the most prudent path is to concentrate on mitigating risks while educating employees about them. That being said, there are ways to detect unapproved software on a company network.

Listen to your employees: While it may never be practical to let every employee choose their mix of applications, the IT organization should pay attention to employee needs, try to stay ahead of them and take requests for new software seriously. Identifying the major areas of employee dissatisfaction and responding with new solutions can go a long way toward relieving employee frustrations.

Establish and communicate security policies: It’s not enough to include IT security and cloud security policies in the employee handbook (and many regulatory bodies require more active efforts at compliance). The IT department should establish understandable and realistic security policies that take shadow IT into account and communicate those regularly, while at the same time being responsive to employee feedback. The consequences of data leaks and lack of compliance should also be clearly communicated to every employee.

Use shadow IT detection technology: Technology is available to help you detect shadow IT activity in your organization. Anomalous network activities (traffic to and from new IP addresses or significant increases in traffic) can be a sign of shadow IT use. IT departments can also use tools that monitor software downloading and installation and data and workload migrations, which could indicate a user transferring information to a non-approved SaaS solution.

Firewalls: By keeping firewalls current for both inbound and outbound traffic, the IT department can identify anomalous traffic that could indicate use of shadow IT.

Security software: Your security software may also be able to identify anomalous and other suspicious activity that could be a sign of shadow IT.

Update BYOD policies: With more and more employees using personal equipment and smartphones for work, it’s extremely important to make sure your BYOD policies are current.

Because employees can install software in seconds with the click of a single button, IT departments will never be able to prevent shadow IT completely. Therefore it becomes necessary to understand why employees choose it and subsequently, manage it effectively. The fact that many employees see the IT department as an impediment to progress is a manageable challenge. Your IT team should do what it can to make itself an ally to employees, helping them understand existing policies while at the same time creating a path to new, more effective and more engaging applications. If all else fails, technology solutions are available to help your team identify instances of shadow IT and mitigate the risks before they become issues. There is no doubt that shadow IT is here to stay. The challenge lies in how IT departments respond to that reality to help their employees be more productive and empowered.