There are a host of factors that can eat a company’s bottom line. Four ways in which this can happen are through cyber attacks, sanctions for contraventions of compliance, reduced productivity and inefficient systems. Unfortunately, shadow IT can cause all four of these to occur. But what is shadow IT? This article explores the nature of the term and how to rectify it, along with helpful shadow IT examples to show you what you are dealing with.
And if you’re wondering why you should worry about shadow IT now, the statistics make for an alarming case:
- The average cost of a data breach increased by 2.6% from $4.24 million in 2021 to $4.35 million in 2022.
- Europe’s GDPR data protection law can impose fines of up to €20 million ($20 million) for infringements of laws protecting personal data for companies that operate in the European Union.
- Businesses in the US lose $450 to $550 billion every year due to poor productivity.
- Companies spend $2.78 million each year on licenses that they don’t use.
Keep reading to find out how to fight shadow IT.
What exactly is Shadow IT?
Shadow IT is the name given to technology used within a company that is not in the control of the IT department. This includes apps, cloud-based programs, software, devices and other items being used by employees in their daily work routine.
The reason that employees might use technology other than that sanctioned by the IT department could be due to the lack of an appropriate solution. It may also be caused by a perception that there is not a suitable solution to an issue that they face in their work.
By definition, IT is unaware of the use of shadow IT within the organization, making it difficult to mitigate the risks that this personal technology can present for a company.
Shadow IT examples
Here are the main types of shadow IT that you will find being used by employees of organizations behind the backs of the IT department.
| Type of shadow IT | Examples | Potential issues |
| Third-party apps | Slack, Trello, and other productivity tools will allow for communication and collaboration between employees. The commercial options are easy to use and contain the functionality that workers want for fast, easy workflows. | Sharing sensitive company data on one of these cloud-based apps can lead to vulnerabilities in the security of your data and possible compliance issues with the storage of data. |
| Skype, FaceTime, and other VoIP tools. Video and audio communication are essential for teams to work together, especially in today’s hybrid and remote work environments. | Such programs can open up the company to cyberattack when used. If users do not keep them updated, there may be vulnerabilities. | |
| Google Docs, Gmail, Google Drive, and other elements of the Google Suite (if not officially licensed or sanctioned by the IT department). These allow people to work together on the same document from various locations. | If Google Suite is not the IT-approved solution, but the user utilizes it for work, there could be an issue with varying access permissions and data processing protocols. | |
| Dropbox, Box, and other peer-to-peer file-sharing and cloud collaboration tools allow employees to move large files between various devices. | Hosting files away from the company systems, with a third party, means you can’t enforce your data use policies, and they might not be as secure as they would be on the organization’s network. | |
| Apple AirDrop and other bluetooth-based sharing tools are used as a way of easily sharing files, too. | The possibility of confidential or sensitive business information being intercepted when sent through these apps is greater than when using company-sanctioned solutions. | |
| WhatsApp and other messaging apps may also present a shadow IT risk. | It is easy to leak information shared on messaging apps. There are also issues with the data posted, which often will be shared with the owner of the program. Users tend to access these apps on their personal devices, which can lead to further problems with data storage and the potential for breaches. | |
| Grammarly, Pomodoro timers and other plugins and extensions can open the door to hackers without the users’ understanding. | The user’s browser can share data with these extensions, not only breaching company policy but also causing compliance issues, too. | |
| Personal email accounts | When used to conduct business, personal email accounts can be a security risk. | The spam and virus protection on a personal email account is unlikely to be as robust as the company’s internal system, leaving a vulnerability when employees use GMail, Hotmail and others on their work devices. Phishing attacks can lead to bad actors gaining access to the network and causing major disruption for the organization. There are also potential contraventions of both internal and external data protection policies when employees take this course of action. |
| Unsanctioned Bring-Your-Own-Devices (BYOD) | Some companies allow BYOD due to demand from employees, especially since the lockdown-related increase in remote and flexible working. This can also open the door to shadow IT. | Connecting personal devices to the company network can lead to reduced security if they are not protected with multi-factor authentication and virus software, for example. |
Reasons why employees might use shadow IT
The overarching motivation for employees to use shadow IT is that they don’t feel that the company-approved methods work for them. This can be due to a number of reasons.
Lack of proper tools
Employees might be concerned that they can’t access the exact types of tools they feel they need to carry out their duties. This might be job-specific software like InDesign, but it might also be a productivity tool with a set of features that the team requires.
The lack of tools could lead to employees sourcing their own programs because there is no obvious solution to their issue within the tech that IT sanctions.
There could be an approved version of the solution they need, but they might feel that it does not work as well as their shadow IT alternative.
Lack of skills
Sometimes the tools that are available require a skillset that the user doesn’t possess or doesn’t have the time to learn. In this case, they will often seek out a solution that is easier for them to use. This will save them time, so they see it as a superior solution.
For example, IT might have approved Photoshop for the Marketing department in a business so they can create graphics for social media and campaigns. If a worker struggles to get to grips with that program, they might use a more simple drag-and-drop option like Canva to get their work done.
Familiarity with other solutions
Another cause for using shadow IT is that the user is more familiar with the shadow IT program than the sanctioned solution. For example, the business might use Microsoft 365 for creating Word documents, but the user feels more comfortable and prefers the functionality of Google Docs. Rather than learn a new system for achieving what they believe is a similar result, they use the one that they are used to.
Time-consuming process
When a department identifies a solution that it feels will aid it in its work, it might not immediately download it without approval. The department could request that IT assesses and sanctions it, but this can often take a long time.
The department might need to use its solution urgently, but the approval workflow is not always quick. This can lead to impatient employees implementing the software anyway so they can get on with the work at hand.
What can you do about shadow IT?
1. Open the lines of communication
There needs to be a conversation between IT and employees. Helping users understand the pitfalls of shadow IT is important because many don’t even realize they are opening the company up to attack or compliance issues. Proper training regarding cyber safety, data processing, access, skills and other related topics will help reduce shadow IT.
IT also needs to listen to employees and understand their needs. If there is not a suitable solution, then it is important to take feedback on board and help to supply the necessary software as soon as possible.
Besides, departments should talk to each other and IT. Instead of creating a situation where multiple departments take out multiple licenses on software, IT should control the process. If apps are necessary, there should be one license that fits the requirements of all business departments.
2. Simplify approval
If users are turning to shadow IT because the official channels take too long, then this needs to change. These employees want to do the right thing but are being prevented from doing it.
To simplify approval, you need to streamline the process. It could be a simple form where users fill out the functionality they need and the business case for it. You should set deadlines for responding to those requests so that employees know the maximum length of time they will need to wait for a decision.
You can also create a form that asks important security questions about the solutions that employees answer, helping the assessment move ahead more quickly.
3. Implement continuous monitoring
Although it is possible to reduce shadow IT use within an organization, you will never stop employees from trying to use their own solutions completely. This means you must implement a monitoring system that helps you gain visibility on the use of shadow IT within your network.
Using Vaultry allows you to monitor all devices connected to your network and discover cracked software, unapproved freemium programs and other shadow IT that could pose a risk to the business.
The platform provides alerts when it spots such programs and allows you to rectify the situation before it becomes a vulnerability or compliance problem.
FAQs
How does shadow IT relate to cloud computing?
As more people use cloud computing for their personal lives, this can seep into the business world, too. Cloud applications are handy and easy to access, with many offering freemium options that seem like a quick win.
However, when using an unapproved shadow IT cloud app, the employee could be contravening data protection policies and privacy laws.
What is a shadow IT system?
A “shadow IT system” refers to any software solution that is used within an organization without the explicit approval or oversight of the organization’s IT department. This could include hardware, software, applications, and services that have not been formally reviewed, approved, or managed by the IT department.
What is a shadow IT expense?
Shadow IT expense is the cost of the consequences of the shadow IT in your system. It includes the price of fixing leaks and attacks, as well as the cost of unused licenses and duplicate licenses too.
Conclusion
There are many reasons why shadow IT flourishes in organizations. It is often the easiest and quickest solution for employees who might not understand the potential security risk of using it. These shadow IT examples show you how everyday programs can seem innocuous to employees who use them in their personal lives in many cases but can open up vulnerabilities in a business.
To protect your business from the risks of shadow IT, monitor all devices on your network with Vaultry and stamp out potential issues before they escalate. Get started with Vaultry now.
