It is a telling fact that experts believe 40% of IT spending in companies is not initiated by the IT department. This shows how important it is to understand how to manage shadow IT.
One of the drivers behind the rise in shadow IT is the COVID-19 pandemic. With more remote working, there is less centralization of device usage and more need for collaborative tools to connect disparate workers. This creates the risk of introducing personal software and hardware into the business ecosystem.
The temptation might be to ban all programs that were not approved by the IT department. However, employees can see waiting for a green light as delaying their work. Their reasoning may be that downloaded programs are of great help — the ability to automate tasks and communicate and collaborate more easily on projects can lead to significant productivity gains. In addition, being able to use their own devices on the company’s IT network allows them to take their work with them and collaborate more easily and with greater flexibility.
This guide explains what shadow IT is, the challenges it provides, and the best practices for mitigating the risks that it poses.
What is shadow IT?
Shadow IT involves utilizing software, apps, services, devices, and other information technology systems without the permission of the IT department. There are many reasons why an employee or department would decide to use an unauthorized program, such as Canva for graphic design or Quickbooks for accounting, or connect an additional device to the network, such as a tablet. However, the act of doing so without IT department consent or knowledge can open the network to security risks which IT may not know to monitor.
Users might opt for shadow IT because the existing infrastructure is deficient in some manner relating to their needs or because there is a bottleneck in the approval process that prevents them from completing a project in a timely manner. In the case of SaaS applications, the user might not even realize they need to gain permission, as they may consider them just another website where they simply log in.
Security risks and challenges of shadow IT
Here are some of the main risks and challenges associated with shadow IT:
| Risk or challenge | Explanation |
| Network security | Adding devices to your company’s network without informing the IT department or gaining approval provides an additional entry point for cybercriminals. The official devices used in your organization are protected with security protocols instigated by IT. Additional devices may not feature such stringent protection and could turn out to be a vulnerability. |
| Lack of visibility | If IT does not have visibility over how users interact with your network, it cannot properly mitigate risks. In the case above of an external device being connected to the network, if IT knows about it, it can ensure it is secure. If no one informs the department, they will have no idea that there is a vulnerability and cannot protect the organization accordingly. |
| Data loss and data leaks | Using file sharing platforms to access company documents from private sources opens up your data to loss or, at least, leakage. Data leakage happens when users move data from your secure system to a file sharing platform or personal device. This puts it at risk. If the app or device is stolen or compromised, criminals can take and use the data. |
| Compliance | Losing data can put you at odds with the various data protection laws around the world. Several US states have data protection laws, such as the California Consumer Privacy Act, for example. If you hold consumer data, you could be held liable if it is lost to criminals. |
| Financial Risks | There can be huge financial penalties for breaching data laws, which can be damaging for a business. You might have to also pay for damage control, in terms of PR or compensation. Another financial risk is that, if every department has its own solution for the same problem, the business might be paying for multiple subscriptions to different services that all perform the same task. Having a single, approved solution across the entire company could be more cost-efficient. |
| Inconsistency | When different departments use different solutions, this also creates inconsistencies across the business that could lead to data mismatches. |
| Data silos | With each department choosing its own solution for various tasks, you risk running into data silos that prevent the sharing of information across the organization. This can hurt your employees’ productivity. |
How To Manage Shadow IT
1. Assess your risks and monitor your network
You need to gain an insight into the usage of shadow IT within your organization to be able to assess the risks involved.
This can be a major undertaking to perform manually. Vaultry helps you to mitigate cybersecurity risks by monitoring your system for shadow IT, giving you a full picture of the unauthorized and unapproved items being used on your system. Once you have gauged the extent of the issue in your business, you can work to close vulnerabilities and shore up the security of your network.
You should continue to use Vaultry to monitor your network on an ongoing basis. It tracks every phone, computer, tablet, and laptop in the company’s network from a single dashboard, alerting you to threats and unauthorized programs being downloaded.
2. Publish BYOD guidelines
Bring your own device (BYOD) is becoming more and more common in today’s working environment. As employees work remotely and take their work on the road, the need to use their own devices increases. This can cause risks for cybersecurity, however.
The benefits of BYOD, such as increased mobility for staff, better collaboration, efficiency, and flexibility, mean that many businesses are reluctant to stop it. But you have to establish guidelines to allow the freedom of using personal devices and still ensure safety.
One solution is to require employees to use specific cloud solutions from their mobile devices, rather than doing their work on personal apps. Implementing a zero-trust security governance, risk and compliance model for apps and software in your guidelines dissuades employees from using anything other than IT-approved safe solutions.
3. Set identity and access controls
With employees using their own downloads on their own devices, there is a risk of them forgetting their login credentials and being locked out of vital business information. Additionally, reusing passwords from their personal account for business-related programs is a major risk to the security of your systems.
The alternative is for the IT department to become its own cloud service provider, managing identity and access centrally to the apps that employees need to use. IT pre-approves apps and then employees can download the ones they want with the full knowledge of the IT department.
IT controls the access to this “app store”, being able to recover login details if employees forget them and ensuring all activity takes place within the company’s security protocols.
4. Establish a policy for third-party vendors
When you work with third parties, you have to make sure that they do not pose a risk of data theft. As strong as your security policies are, if an employee shares your company’s data with another business, they create a vulnerability. When you do not know who has access to your data, you can lose control over it.
You should implement a policy for how employees deal with third-party vendors which spells out the best practice for restricting their access to your data. This might include providing solely read-only access, for example.
5. Organize cybersecurity training
Cybersecurity training on the risks of shadow IT is important for helping employees to understand the risks at play. For many staff members, they might not realize the risks of connecting a personal device to a secure network or downloading a common commercial app that you would put on your device at home without even thinking about it.
Do not judge their decisions, but instead show understanding of why they utilize shadow IT. Then move on to explain how the company has chosen to manage these apps and systems. Inform them on how to use the apps they need safely.
Examples of shadow IT
| Type of shadow IT | Examples |
| Productivity tools | Trello, Asana, Slack |
| Video conferencing tools | Zoom, Webex, FaceTime |
| Collaboration tools | Google Drive and the Google Suite |
| Messaging apps | Facebook Messenger, WhatsApp, iMessage |
| File sharing | Dropbox, WeTransfer, OneDrive |
| External devices | Hard drives, flash drives, tablets, smartphones, laptops |
| Bluetooth-sharing tools | AirDrop, InstaShare, Xender |
FAQ
How common is shadow IT?
It is impossible to accurately state how common shadow IT is, as the whole point is that it is hidden from the IT department. However, experts suggest that 40% of IT spending in companies is on activities not controlled by the IT department, which suggests that shadow IT is a major element in many employees’ working lives.
Why do employees use shadow IT?
There are many reasons why employees use shadow IT. It may just come naturally to them to share large files through Dropbox, for example, because they do this in their personal lives. So, they don’t see an issue with using an app from a reputable company like Google.
Another reason is to utilize the efficiency and productivity qualities of a certain app. In addition, they may not like the officially recognized solution within the company or might not be willing to wait for IT approval to download a certain program and want to start using it straight away.
The use of employees’ own devices provides convenience and flexibility in their working lives.
Does remote work increase the risk of shadow IT?
Remote work increases the risk of shadow IT because employees are more likely to use their personal devices to access work-related information. Organizations should put in place policies to minimize the risk of creating security vulnerabilities.
Conclusion
With remote working and the sheer volume of software to use, the chances of employees connecting devices to your network or using programs other than those specifically approved are high. When it comes to how to manage shadow IT, you need to put in place policies to minimize that risk, alternatives to allow staff to use apps safely, and you need to open communication lines to help employees understand the risks of using unauthorized programs and devices.
To help you monitor your corporate network, use Vaultry’s monitoring tool that alerts you to threats from every device on your network and allows you to resolve issues instantly. Request a demo for your business today.
