What is Shadow IT?

Risk Glossary

What is shadow IT?

Shadow IT is any information technology used by a department without the central IT department knowing or approving it. The term “shadow IT” is used to classify and address any unofficial information flows that users introduce to an organization’s network by any medium. It covers everything from USB flash drives to file-sharing tools, chat apps, and more.

Shadow IT examples

Shadow IT can take a lot of different forms. Despite the name, the software, apps, and tools that comprise shadow IT are typically not “underground” or little-known names. Shadow IT is more often common programs, tools, services, and hardware that IT and security professionals already know – but have not approved for company use or have specifically disapproved for use on the company network or company-owned devices.

Shadow IT can also take the form of hardware installed or used on company-owned devices, such as flash drives or HDDs. But today, the vast majority of shadow IT takes the “aaS” form: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) services.

Some common examples of shadow IT:

  • Slack, Trello, and other productivity tools
  • Skype and other VOIP tools
  • Google Docs, Gmail, Drive, and other elements of the Google Suite (if not officially licensed or sanctioned by the IT department)
  • Dropbox, Box, and other peer-to-peer file-sharing and cloud collaboration tools
  • Apple AirDrop and other bluetooth-based sharing tools
  • WhatsApp and other messaging apps
  • Flash drives and HDDs

When two team members download Skype because they can’t get Teams to work, that’s shadow IT. When someone needs to send a file that’s too big for Gmail, so they use Dropbox, that’s shadow IT. But the problem with shadow IT isn’t really about the specific tools people use – it’s more about the fact that they use them without IT knowing.

Why do people use shadow IT?

As with most end-user behavior, it’s all about the path of least resistance. People use shadow IT when they feel like the tools cleared by their IT department are somehow lacking or when they see that shadow IT allows them to do something more efficiently or effectively. Shadow IT can seem like an excellent way for them to innovate, experiment, collaborate, and generally be more productive compared to approved apps and tools. Shadow IT has been further accelerated by the shift to remote and flexible work arrangements. As employees work in new ways, they’re looking for the fastest, easiest way to share information, exchange ideas, and collaborate with decentralized teams.

Here are a few specific reasons why someone might decide to use shadow IT:

  • They feel like the tools cleared by IT don’t work as well as tools they can find on their own.
  • They’re not very experienced with the tools IT has already cleared, so they use tools they know to get work done faster.
  • The process for clearing and approving new IT for widespread use is slow and frustrating.

How common is shadow IT?

It’s almost impossible to measure how common shadow IT is for an obvious reason: IT and security can’t see it, and the people who use it usually don’t tell their IT department they’re using it. (Even end users might not know they’re not supposed to use it.) Still, some researchers have wagered guesses. In 2016, Cisco published an article that said 80% of end-user software wasn’t cleared by IT, and Everest Group estimates that 50% of IT budgets at large corporations are spent on shadow IT.

Is shadow IT bad?

It’s hard to call shadow IT wholly “bad” or “good” because different parties see it in different ways. Often, the riskier parts of business workflows have accompanying reward. IT usually sees it as a risk, while end-users and employees often see only the reward.

The Risk

IT and security teams typically view shadow IT as a risk for two reasons. First, they may have specific security or operational concerns related to a disallowed or banned app (like if an app contains a known security vulnerability). Second, because the shadow IT falls outside their security posture, they typically have extremely limited (if any) visibility into shadow IT activity – and blind spots are risky.

The Reward

The employees using shadow IT value the ability to work quicker, come up with new solutions, and try new things to help their team be more efficient. Managers and executives may value the boost in productivity and collaboration that come from their employees’ use of shadow IT. Business leaders also see employees’ ingenuity as a critical ingredient in fostering a culture of speed, agility, flexibility and innovation, and shadow IT can be a quicker, less costly way to leverage it.

The problems and risks shadow IT can present

Shadow IT is a risk insofar as it prevents IT and security teams from seeing and accounting for the tools employees use and the ways they use them to share information. That means data can be hosted, shared, and accessed – internally and/or externally – without formally set permissions, security protections, or organizational visibility. The company’s IT infrastructure and data security posture might not have considered those tools when creating security measures and protocols, leaving room for vulnerability.

Apart from security risks, shadow IT can make IT and security teams’ jobs harder in a few ways:

  • App sprawl: The greater the number of apps and cloud-connected services an enterprise uses, the harder it is to keep track of them. When employees add new tools, apps, and services at whim without involving IT, it can quickly turn into a game of plugging holes.
  • Security: Even if the specific app isn’t notoriously unsecure, every piece of IT added without planning and consideration represents a possible attack point.
  • Rework: If a piece of shadow IT needs to become a formal part of the enterprise, it’s harder to retrofit for one new piece of technology than it is to include it in the plan from the start.

 

Can shadow IT be ‘safe’?

The clearest path to making shadow IT ‘safe’ is to have IT and security review and approve the app or tool for use. For apps and tools that have been specifically disapproved or banned by the organization, the known vulnerabilities or functional problems mean that there is likely no ‘safe’ way to use them.

However, for a large portion of shadow IT, the fundamental problem is right in the name: It’s all in the shadows, beyond the visibility of IT and security tools. It’s not that employees are likely doing nefarious, problematic, or otherwise risky things while using shadow IT. It’s that IT and security teams simply cannot be sure that they’re not doing risky things. The key, then, is finding a way to gain visibility into shadow IT activity.

Can you do anything about shadow IT? Should you?

Completely preventing the use of shadow IT is nearly impossible for a reason all IT and security professionals know well: Users find a way. Users want to take the path of least resistance – not because they’re lazy, but because they want to work faster and smarter. Imposing overbearing IT policies can curtail some shadow IT among the most rule-following users.

But strict policies can lead users to find creative workarounds, chasing shadow IT activity further into the shadows. Moreover, overbearing user policies can end up creating major barriers to the things an organization cares about most: productivity, collaboration, innovation, and speed to market. It’s more important – and effective – to start from the root problem with shadow IT: the lack of visibility.

 

How to see shadow IT and enable business agility

  • Talk with business leaders about the tools your company uses.

If users are downloading new apps, signing up for new services, and sharing information in ways you can’t see, it could be a sign the tools they were given aren’t good enough. Working with the business leaders at your company can help everyone get a better sense of why the company uses the IT tools it does, what users think of it and what’s right for the company.

 

  • Focus on the data activity – not the user activity.

At the end of the day, it’s the data that IT and security teams (and the business as a whole) want to protect. Leading security teams are adopting a data-centric approach to risk management that starts with the premise that all data matters. This means that organizations can’t just focus on what they think is valuable/sensitive/in need of protecting today. They need to be able to see all their data as it moves anywhere in their ecosystem – whether through approved tools or shadow IT.

 

  • Use analytics to get a clear signal of your true risk.

Despite the name, the vast majority of shadow IT activity is completely harmless. It’s just creative employees finding better, smarter ways to get work done. So while gaining visibility into shadow IT activity is the critical foundation, security teams need to be able to tune out all that noise of harmless activity and see the actual risk. Fortunately, advanced AI-powered tools can take in the constant feed of information on shadow IT data activity – including the metadata that provides the critical context around user, data, and vector or who, what, where – and deliver a clear, high-fidelity risk signal. In other words, analytics and AI tools can help IT and security focus on what really matters and protect the business from data risk – all without inhibiting user speed, agility, and ingenuity. This allows IT and security teams to move into a role as true enablers of the productivity, collaboration, and innovation that gives the business its competitive advantage. Advanced AI and BI tools are unlocking the value buried in mountains of unstructured data – and the same potential exists within data security. Advanced analytics capabilities can help organizations tune out the noise of harmless everyday productivity and collaboration, leveraging metadata to put context around and understand unstructured data. This gives security teams a clear signal of risk, so they can better identify when valuable or sensitive data moves in abnormal ways that are more likely to present risk to your business.

  • Establish a dialogue with users.

One of the main reasons shadow IT pops up is because employees feel like IT is walled off and inaccessible. Let them know why it’s important to clear IT by your department instead of downloading willy-nilly. Make sure they know the procedure for finding, approving, and using new IT. Create an open-door policy for getting in touch with IT if they have questions about using a new app or service for a project.

 

  • Put tools in place that bring shadow IT activity into the light.

As mentioned, the biggest problem/risk with shadow IT is ultimately its invisibility. You can’t determine if something is safe and secure if you can’t see it – but there are security tools that can empower IT and security teams with full, deep visibility into their users’ shadow IT activity. These tools don’t just reveal shadow IT in use; they can provide the metadata that paints the relevant context around exactly what users are doing with it and how data is moving in the shadows. This visibility is a powerful starting point for taking action to identify and mitigate the actual risky activity within shadow IT without inhibiting users’ productivity and collaboration.

 

  • Focus on proportional response.

The rigid blocking approach has always been problematic, frustrating users and security teams alike. Today, organizations simply can’t afford to inhibit speed, agility, collaboration, and innovation. They need to empower their employees’ ingenuity – and that means allowing unstructured data and files to move and evolve. But with comprehensive visibility, context and analytics, they can protect the value created through that free collaboration. They’ll have not only a clear signal of what’s actually risky but also the context to investigate immediately and drive a rapid, right-sized response to protect the data without inhibiting the business.

How vulnerable are you to a corporate data leak?

Assess your baseline level of exposure across the four dimensions of Insider Risk.

Take the assessment