While relatively harmless at first sight, shadow IT causes major risks for companies. In 2022, nearly 7 out of 10 organizations experienced a security incident due to employees using unsanctioned hardware or software.
In addition to security concerns, shadow IT is also among the leading causes of app sprawl, operational inefficiencies, and compliance violations.
This article explains the dangers of shadow IT and its potentially devastating effects on security postures and bottom lines. We'll take you through all you need to know about this widespread problem and present the most effective ways of keeping shadow IT at a minimum.
What Is Shadow IT?
Shadow IT refers to any unauthorized device, IT service, or app employees use without the knowledge of the company's security department. When the security team is unaware of a certain application or piece of hardware, the organization cannot support the tech or ensure that it's secure.
Employees typically turn to shadow IT because of convenience or when an app offers better functionality than what the company approved for using. While convenient for employees, shadow IT poses several considerable risks for an organization, including:
- Security vulnerabilities (misconfigurations, accounts with easy-to-crack passwords, malware-infected devices, etc.).
- Compliance violations (e.g., someone keeping sensitive customer data in a personal Dropbox account).
- Inefficiencies within the organization (e.g., teams using different tools to accomplish the same task or unoptimized apps using up too much network bandwidth).
Here are a few statistics that show just how prevalent shadow IT is:
- Over 80% of employees regularly rely on some form of shadow IT.
- Over 50% of workers use at least one unauthorized app.
- Almost 81% of IT leaders believe employees introduced rogue cloud assets into the environment.
- An average company uses around 1,220 cloud services. Only 7% of them completely comply with security and compliance requirements.
- Over 35% of employees feel like they must work around security measures or protocols to perform their duties effectively.
- Almost 63% of employees regularly send work-related documents to personal emails.
- Around 32% of workers use unapproved communication and collaboration tools.
There are a few reasons why shadow IT got out of control in recent years:
- The rise of remote work due to COVID-19 restrictions.
- On-demand cloud services that enable anyone with limited technical know-how to deploy advanced systems and platforms.
- The increased popularity of DevOps principles that encourage teams to work as quickly as possible.
- More reliance on Bring Your Own Device (BYOD) hardware.
Learn how to implement an effective BYOD policy that keeps business assets safe without overly disrupting your team's day-to-day tasks.
Examples of Shadow IT
Below are some of the most common examples of shadow IT:
- Using personal devices (smartphones, tablets, laptops, etc.) to access company data or services without explicit IT department approval.
- Installing unsanctioned software without the approval of the company, such as third-party tools or social media platforms.
- Creating cloud workloads using personal accounts.
- Setting up rogue servers or networking infrastructure to support work.
- Using personal storage devices (such as USBs or portable hard drives) to store and share company data.
- Sharing company data or collaborating with colleagues via social media profiles.
- Accessing corporate data or the back end of a website from a BYOD device on a home network or public Wi-Fi.
- Secretly deploying a rogue cloud environment for testing purposes.
- Using SaaS apps (file-sharing services, collaboration tools, project management software, etc.) without the approval of the InfoSec team.
- Using unauthorized instant messaging or chat apps to communicate with coworkers, clients, or vendors (e.g., chatting on Viber when the company requires all communication to go through Skype).
- Creating self-developed Excel spreadsheets and using them to store and share company data.
- Connecting IoT devices (such as smart speakers or watches) to the corporate network without the knowledge of the security department.
- Sharing work files on a personal Dropbox account or sending data to a private email.
- Opening a secret Slack channel despite the company wanting its workforce to use Microsoft Teams.
- Logging into both personal and business accounts in the same app and using both profiles to manage company assets.
- Secretly using unsanctioned workflow or productivity apps (such as Trello or Asana).
- Using business devices for online gaming.
While they take on many forms, all examples of shadow IT introduce the same problem—they create new attack vectors outside the view of the security team.
What Are the Cons of Shadow IT?
The use of shadow IT rarely has malicious intent, but the practice often leads to severe consequences, including:
- Security gaps: Security staff cannot secure systems and apps they do not know exist. Introducing rogue hardware and software creates vulnerabilities malicious actors could exploit for several types of cyberattacks.
- Data exposure: Employees store, share, and access sensitive data via insecure shadow IT devices and apps, increasing the attack surface for data breaches.
- Lack of standardization: You increase the chance of incompatibilities whenever teams use different tools and systems to accomplish the same tasks. There's also the increased risk of teams working with unofficial, invalid, or outdated data.
- Data leaks: Employees sharing corporate data on unauthorized apps or private devices often leads to data leakage (accidental release of data to an unauthorized recipient).
- Higher costs: Shadow assets often increase IT costs by causing unexpected expenses and budget overruns. For example, a personal cloud storage someone scales to serve enterprise-level needs is far less cost-effective than services intended for corporate usage.
- Compliance risks: Teams could secretly use technologies or data storage that do not comply with regulatory requirements (such as those imposed by GDPR or HIPAA). Even if employees do so without the company's consent, organizations are still liable for violation fines.
- App sprawl: Shadow IT is a leading cause of app sprawl (excessive proliferation of apps). Sprawl occurs when teams purchase and deploy too many programs without proper consideration for value, fit, or functionality.
- Performance bottlenecks: Adding extra programs and apps on top of existing systems often results in performance issues.
- Risky data silos: Any files stored on unauthorized or personal devices aren't accessible to others in the company. You lose access to that data if the employee leaves the company.
Any data employees store on shadow IT assets will not be a part of your regular backups, which is an issue you must account for in your corporate backup strategy.
Are There Any Positives to Shadow IT?
While the cons by far outweigh its pros, there are some positives to shadow IT. The most notable benefits are:
- Teams become more agile when they have the freedom to choose software.
- Making ad hoc IT decisions sometimes enables a team to respond to changes and threats with more speed.
- The ability to choose preferred apps and devices encourages employees to innovate. Teams experiment with new technologies and tools, which gives the organization a slight competitive edge.
- Some shadow IT leeway enables teams to quickly test out new tools that may turn out to be a better fit or more cost-effective than current solutions.
- Teams that work with preferred apps are more likely to be invested in their jobs. This morale boost helps improve employee satisfaction and retention rates.
Since most companies see shadow IT as an inevitability, many organizations are now trying to control the practice with security protocols. There are some mandatory precautions if you opt for that route, such as:
- Attack surface management (ASM) tools: These platforms continuously monitor all internet-facing assets to identify signs of shadow IT. Once a new asset appears, ASM tools automatically evaluate potential flaws and help eliminate threats.
- Cloud asset security broker (CASB): These platforms ensure secure connections between employees and any cloud asset they use (known or unknown). A CASB discovers all shadow cloud services and enforces extra security measures (such as encryption, access control policies, and malware detection).
In the fast-paced business world, giving employees some freedom to solve problems and experiment is advantageous. However, allowing shadow IT to go on uncontrolled is a massive mistake, so let's see how companies keep the practice in check.
How Do You Handle Shadow IT?
Here are the most effective ways of preventing shadow IT:
- Create IT policies: Create detailed policies that outline all allowed software, hardware, and services within the organization. Policies must also explain exactly how employees should use authorized tech, as well as state any consequences of violating the rules.
- Provide IT support: Ensure all teams have adequate IT support to address their tech needs and issues.
- Encourage communication: Encourage an open dialogue between IT and other departments to ensure all teams are happy with their assigned technologies. Open lines of communication lower the chance of anyone secretly using unauthorized tech.
- Educate employees: Organize regular awareness training to educate teams about the risks of shadow IT. Ensure everyone understands why you insist on using only approved software and hardware.
- Create a quick (but safe) approval process: If someone in your team proposes adding a new tool to operations, the approval process must be quick and secure.
- Conduct regular tool audits: Carry out regular audits that track what tools different departments use to perform their tasks.
- Boost endpoint security: Improve your endpoint security to prevent employees from installing unapproved apps on their devices (either company-owned or as a part of the BYOD policy).
- Monitor network activity: Your security team must monitor network activity for signs of unauthorized solutions and services. Make full use of intrusion detection systems and firewalls to analyze traffic and user actions.
- Regular reviews: Periodically review and update your IT policies, approval processes, and security measures. Ensure you're both up to date with the latest technology trends and security threats.
- CASB and ASM tools: Regardless of whether you opt to tolerate some amount of shadow IT or not, the aforementioned CASB and ASM tools are a worthwhile investment.
Since a large portion of shadow IT occurs in the cloud, your cloud security policy is a major part of stopping teams from using rogue services.
Keep Unauthorized Apps and Devices at a Minimum
While shadow IT boosts employee productivity and helps drive innovation, uncontrolled use of technology introduces potentially devastating risks. Keep shadow IT at a minimum by educating employees, setting up effective preventive measures, and encouraging teams to be open about their IT needs.