The Risks and Rewards of Shadow IT

Shadow IT is when individuals in an organization use technology services or solutions without approval or oversight by management and IT. It’s simply IT that happens in the shadows. Just like an artist who might wish to create depth in a painting by adding shadows, staff often create shadow IT systems with the best of intentions. They simply want to do their job more efficiently, so they find a solution that works. This is the big benefit of shadow IT. However, most fail to realize the negative ramifications these solutions can have. And with more people working remotely, shadow IT is exploding. Software, hardware, and cloud-based services all fall under shadow IT.

What are some examples of shadow IT?

  • Creating an unauthorized Slack/Teams channel to share messages/data
  • Using Google Docs (or another file sharing tool) to transfer files
  • Using unapproved remote access software to enable working from home
  • Using an unauthorized personal device to access corporate resources
  • Using Facebook credentials to log into a third-party app via their corporate cloud account

In the past 12 months, 64% of employees created at least one user account that IT or management didn’t know about.

What are the risks of shadow IT?

Security – This is the big one. You can’t protect what you can’t see. 33% of security attacks will be on shadow IT this year alone. The lack of visibility into the applications is a huge security problem. While some applications are harmless, others can expose your organization to data loss, ransomware, and phishing attacks. Most users don’t have the skills to verify how secure a solution is and even those that are secure can still be risky if used without guidance. Employees may inadvertently share critical data inappropriately or store it on their personal devices.

Compliance – IT compliance requirements are becoming increasingly stringent for all organizations—whether it is PCI, GDPR or industry-specific regulations like HIPAA. The use of shadow IT can potentially lead to fines or loss of business for violating these compliance requirements.

Incompatibility – Despite what some individuals may think, no one works in isolation. Everyone’s job role is connected in one way or another. At some point, the work that one person performs will inevitably be used by another. If everyone is using a different application for similar functions, issues will occur.

Diminished ROI – Each technology solution installed and maintained has a calculated use and expected added value to the organization. When the tools that the organization has invested in aren’t used, the tool’s benefits are not achieved, and that expensive and powerful application designed to solve all your problems turns into an underused waste of money.

Cost Control – Cost creep happens when employees sign up for free trials and forget to cancel the subscription, have duplicate or unused licenses.

40% of all software spending in organizations goes to shadow IT.

What to do about shadow IT? In the end, shadow IT is about balance: balancing security with usability, expertise with innovation, and theory with practicality. Shadow IT isn’t going away. The solution is a little bit tech and a little bit human.

The human piece: It’s about empowering employees and communicating to them the risks of unauthorized apps. Training your team about your organization’s policies and procedures will help you better enforce your cybersecurity and data privacy practices. By creating a security culture, you can also educate employees about the critical role they play in maintaining strong security.

Especially now, awareness should also focus on the increased risks of working from home. To minimize the use of shadow IT, provide employees with a checklist of best practices and security requirements for their WFH technology. At the same time, management and IT need to partner with employees to find solutions for their everyday work problems. This means regular communications and collaboration.

The tech piece: Consider technical solutions that extend the reach of security policies beyond the organization’s defined perimeter. Implement security solutions that increase network visibility both in the office and while working remote that help identify noteworthy behaviors. And of course, identify critical data systems and manage user credentials and privileges so that users cannot put the organization at significant risk.

Need help navigating the murky shades of shadow IT? Contact IT Radix today! We’re here to help shine a light on your shadow IT and enhance your IT masterpiece.

First published in our April 2021 IT Radix Resource newsletter