What is Shadow IT and can it be a problem within an organization?

August 02, 2019 | Posted in:

IT Security

Updated May 2020

As cloud service consumers, we have become accustomed to downloading apps to help us in our day-to-day activities. Employees may also use these apps and tools to help them be productive and fill a need in their workday. The good intentions of the employee are honorable, however no thought is given to the potential risk this can create for an organization. The practice of employees procuring tools and services without proper vetting from IT management is known as Shadow IT.

What is Shadow IT?

Gartner, a leading research and advisory company, defines Shadow IT as "devices, software, and services outside the ownership or control of IT organizations.In other words, IT departments can find themselves in the dark when it comes to some of the technologies being used by employees.

Examples of Shadow IT include:

  • Personal email accounts being used to conduct business,
  • Unsanctioned Bring-Your-Own-Devices (BYOD), or
  • Third-party Software-as-a-Service (SaaS) applications outside the purview of the IT department.

For the most part, employees use Shadow IT with good intentions and may not fully realize the rigor and security review that goes into application and device selection. It's no surprise that over 80% of employees admit to using non-approved SaaS apps within their jobs. However, without proper approval and vetting of new technologies, it can create risk for the organization.

How is Shadow IT a potential issue?

If an organization is in a regulated industry, such as healthcare or banking, then there are certain types of information that must be protected. Such information can’t be protected properly if employees are storing it in locations outside of the company's control. Similarly, IT departments won't know if customers are at risk if they do not know where all the information lives. Another consideration is productivity loss if an employee leaves an organization and has used Shadow IT applications for work activities. Their app credentials would likely be unknown to an IT department. Therefore, the company may never get access to where everything was stored and what they were working on.

What can be done about Shadow IT?

As with most questions in IT, the answers will vary. A bank will have a different approach than a publicly-funded research organization, but the initial steps remain the same.

1. Create information classifications for your company.

The company, and ultimately the employees, must clearly understand what is public, private, or confidential. The classifications for a company may vary, but the process of creating them will help determine acceptable usage guidelines. For example, a company may decide that confidential information containing social security numbers is only allowed in a predefined set of applications sanctioned by management. On the other hand, employees may have a little more flexibility to use their preferred cloud services for private information, such as meeting notes.

2.  Discover existing Shadow IT. 

IT departments need to know and understand how confidential information is contained and managed throughout the company. There are a variety of tools that can help with the information gathering process: technical solutions like Microsoft Cloud App Security, or soft solutions, such as a Survey, are both examples of this. 

3.  Adopt or prohibit services.

Many of the discovered services will offer professional versions with centralized management. If the services add value, consider vetting and adopting them while also determining which classifications of information are allowed.

4.  Educate employees.

Written policies and end-user education are critical. Technology is always evolving, and tomorrow will continue to bring new ways of working. There is no substitute for ensuring employees are aware of clearly-defined policies and guidelines for the acceptable handling of company data.

A company can embrace Shadow IT and create a culture of security awareness. This helps decrease the amount of time and effort IT departments spend chasing after Shadow IT. With an acceptable use policy in place, an organization can then focus on increasing productivity while keeping data security a top priority.

Want to learn more about safeguarding company assets?


For information on Shadow IT and other acceptable use policy solutions, connect with us at info@systemsengineering.com or call 888.624.6737. Customers, please reach out to your Account Manager.