What is Shadow IT and can it be a problem within your organization?

July 22, 2022 | Posted in:


As cloud service consumers, we have become accustomed to downloading productivity applications or using cloud storage repositories to help us in our daily activities. With the rise of remote working, it is not uncommon for an employee to download apps and tools to be productive and fill a need in their workday. Their good intentions are honorable, however, this type of activity can create cybersecurity risks for an organization.

What is Shadow IT?

The practice of employees deploying tools and services without the knowledge or proper vetting from IT management is known as Shadow IT. Gartner, a leading research and advisory company defines Shadow IT as "devices, software, and services outside the ownership or control of IT organizations. In other words, employees can compromise security by using unauthorized technologies. IT departments find themselves in the dark, unable to enforce cybersecurity controls or group policy when this occurs. 

Examples of Shadow IT include:

  • Personal email accounts being used to conduct business,
  • Unsanctioned Bring-Your-Own-Devices (BYOD), or
  • Third-party Software-as-a-Service (SaaS) applications outside the control of your IT department.

For the most part, employees use Shadow IT with good intentions. Staff may not realize the security review required for application approval and device selection. Without proper vetting of new technologies, shadow IT can create cybersecurity risks for the organization. One survey by Forbes Insight reported that more than 1 in 5 organizations have experienced a cyber event due to an unsanctioned IT resource.

How does Shadow IT create cybersecurity risk?

All organizations, particularly those in regulated industries, such as healthcare, legal, or finance, have certain types of information that must be protected. Information can’t be secured if employees are storing it in locations outside of the company's control. Similarly, IT departments won't know if customer data is at risk if they don't know where all the information lives.

Data loss is another consideration. A common scenario is when an employee leaves the organization and has used Shadow IT for work activities. The apps and credentials they used may be unknown to your IT department so you may never get access to what they were working on or where critical data was stored.

What can be done about Shadow IT?

As with most questions in IT, the answers will vary. A law firm will have a different approach than a manufacturer, but the initial steps to control Shadow IT remain the same.

1. Create information classifications for your company.

Your company, and ultimately your employees, must clearly understand what is public, private, or confidential data. This process is known as Data Loss Prevention or DLP. The classifications for a company may vary, but the process of creating them will help determine acceptable usage guidelines. For example, a company may decide that confidential information containing social security numbers is only allowed in a predefined set of applications sanctioned by management. The same company, however, will allow employees to use their preferred cloud services for private information, such as meeting notes.

2.  Discover existing Shadow IT. 

IT departments need to know and understand how confidential information is contained and managed throughout the company. There are a variety of network monitoring tools that can discover which applications are running and who is running them. Mobile Application Management is one solution that can help with the information-gathering process. Within a smaller organization, a solution such as a survey may be sufficient.

Many of the Shadow IT services uncovered during the discovery process will offer professional versions with centralized management. If the service adds value, consider vetting and adopting them while also determining which classifications of information are allowed.

4.  Educate employees.

Written policies and end-user education are critical. Technology is always evolving, and tomorrow will continue to bring new ways of working. There is no substitute for ensuring employees are aware of clearly defined policies and guidelines for the acceptable handling of company data.

Your company can embrace Shadow IT by creating a culture of security awareness. Implementing and adopting an acceptable use policy can help decrease the amount of time and effort IT departments spend chasing after Shadow IT. With the right policies and plans in place, your organization can focus on increasing productivity while keeping data security a top priority.

Learn what other weak points exist within your organization. Follow on below to read about Cybersecurity Risk Assessments.

Read More

For information about reducing cybersecurity risks within your organization, connect with us at info@systemsengineering.com or call 888.624.6737. Customers, please reach out to your Account Manager.