As business cycles accelerate around the globe, the digital workforce is being forced to deliver more rapid-fire solutions. Sometimes the focus on speed causes people to cut corners and sign up for unauthorized applications or productivity tools to help solve business problems faster. This practice is known as shadow IT.
Shadow IT involves any IT-related activities that happen within an organization, but outside of the IT department's direct supervision. In most cases, employees are not trying to break the rules — they are just trying to do their jobs as efficiently as possible. But the haphazard adoption of web-based business apps without first getting approval from IT poses real risks for cybersecurity and regulatory compliance, and can lead to sprawling costs.
Shadow IT can include any devices, systems, infrastructure, applications, or SaaS services used without the explicit approval of IT managers — and therein lies the risk, especially when a company puts protections in place for certain sanctioned tools but not others. A primary threat of shadow IT stems from the use of communications and collaboration tools. Yet nearly one-third of employees regularly use unapproved communication tools to do their jobs, according to a workplace report by Beezy.net. For instance, some clients may prefer collaborating on Slack channels rather than through a company's approved platform for Microsoft Teams. In those cases, the company's employees will often violate their own company's Teams policy to please their clients by communicating on Slack.
Another common problem stems from people who send personal emails from their work accounts, which can lead to concerns about employee privacy, company security, and legal compliance. Likewise, connecting unsanctioned devices to a company's infrastructure is another risk. Yet we see this happen all the time in this BYOD world of remote workers who are conditioned to send messages from their personal smartphones.
Shining a Light on the Risks of Shadow IT
Stringent security controls are in place for a reason. Shadow IT can expose an organization to unmonitored security dangers, such as when an employee uses work credentials to sign up for an unsanctioned free app. If those credentials are somehow stolen through the app, IT and security teams may be unable to identify attacks that are initiated through that person's email account. If the app vendor suffers a data breach, for example, bad actors could then use the employee's log-in credentials to attack the company's network and data. Yet the IT team may not be aware of the application if it is not included in their software inventory.
In addition, shadow IT poses operational risks by layering on redundant software functions that may already have been purchased through other subscriptions or services. This practice can cause unnecessary technical glitches too, such as when shadow IT solutions are incompatible with other approved systems, resulting in data silos or interoperability failures.
Financial waste is another result of shadow IT, which can occur when groups of users migrate to an unapproved tool, leaving the approved platform (which has been paid for) largely underused. In other cases, employees may be getting reimbursed for expenses associated with unsanctioned tools, and in this way the organization is unknowingly paying for duplicate services. Alternatively, the company may still end up paying for certain unused apps after employees who signed up for them leave the organization. In addition to impacting profitability, financial waste also limits the funds available for other tools and resources that could benefit the organization. Maintaining visibility around the use of shadow IT applications is key to ensuring that money is being utilized strategically and financial waste is not cutting into the profitability of the company as a whole.
Shadow IT also introduces compliance risks based on the use of tools that incorporate personal data without providing the guardrails of standard data management practices. Such cases can result in violations of internal company policies or important government regulations such as GDPR or HIPAA, leading to costly fines and penalties. In 2022, the U.S. Securities and Exchange Commission issued $1.8 billion in fines to 16 Wall Street banks and brokerage firms. In that case, the SEC described widespread unsaved private messages on WhatsApp for work-related business as "pervasive off-channel communications."
Fighting Shadow IT Through Close Monitoring and Ongoing Training
It is important to remember that almost anyone can fall into the trap of shadow IT due to their need to deliver on pressing business priorities, especially if facing an urgent deadline when the IT help desk may take too long to respond.
On the other hand, many IT teams still remain in the dark about the extent of shadow IT lurking in their own systems. Nearly half of IT teams (45%) admitted to not knowing the full configuration of their networks, according to the 2023 IT Network Management Report by Auvik, which surveyed 4,500 IT professionals.
To guard against the risks of shadow IT, organizations should adopt strong network monitoring and management solutions to gain greater visibility into the scope of the problem. This includes tools for remote device monitoring, endpoint security, and data loss prevention.
It is also critical for IT teams and security leaders to conduct regular employee training to update their staff about the latest security threats from shadow IT. To promote job satisfaction and employee compliance, it is equally important to provide workers with the right digital tools that they need to be effective in their jobs. By remaining attentive to this problem and focusing on preventive measures, IT teams can offset the threats from shadow IT to keep their organizations secure and efficient.
About the Author:
Alex Hoff is the Co-Founder and Chief Strategy Officer of Auvik, a leading provider of cloud-based network management software. In the CSO role, Alex shapes the long-term vision and strategy for Auvik. Since co-founding the company, Alex has helped lead sales, customer success, product development, and engineering. He holds a bachelor of mathematics degree with a major in computer science from the University of Waterloo, and an MBA from Wilfrid Laurier University.
