Shadow IT
What is Shadow IT?
Shadow IT refers to the use of software and other technologies not approved by an organization’s IT department. Many employees use shadow IT, often without realizing it. For example, some organizations officially allow only Signal as a messaging app, yet people still use WhatsApp without thinking.
Drivers of Shadow IT
Shadow IT is not a new phenomenon. Even when employees still worked only on office desktops without internet access, people brought disks or USB drives to install a handy tool. However, in recent years, the use of shadow IT has become increasingly common. Several trends have directly contributed to this:
Cloud computing is a major driver. You can easily download an application online, simply install an app, or sign up for an account with a SaaS service.
Financially, it is accessible as well; in many cases, you can start with a free basic account.
Building on that, since COVID, we have been working remotely much more; everyone has become more accustomed to setting up their own workspace and choosing their own tools.
The use of personal devices also contributes to BYOD (bring your own device). On your own smartphone or laptop, you can usually install software without restrictions; personal and business use overlap.
How Does Shadow IT Emerge?
The ease of using shadow IT alone does not fully explain why it is so common. It is not primarily driven by a reluctance to follow IT policies, but rather by other factors:
Better Work Experience: If you receive a tip about a new tool that lets you do something faster or more easily, it is tempting to install and try the app.
IT Constraints: The IT department is often already busy with existing, mission-critical applications. There is simply not enough time to address additional user needs.
Drive for Innovation: An increasing number of employees are tech-savvy and continually seek new capabilities. Innovative apps are coming to market at an increasing pace.
Ease of Use: New tools are often developed with user experience as the starting point. Standard enterprise applications often score much lower on this.
Procedures and Policies: In some organizations, employees find it difficult to request additional software. Licensing costs, policies, and manual processes slow the process. An online download then becomes attractive.
In short, shadow IT often addresses needs the IT department cannot meet, and internal policies and request procedures do not help either. That makes it difficult to eliminate shadow IT entirely.
Examples of Shadow IT
Shadow IT usually does not involve enterprise applications used by everyone, such as the CRM suite and financial systems. Given the surrounding processes and connected systems, it is unrealistic to expect an alternative to these without IT department support. For applications that can be used more at individual discretion, shadow IT is much more tempting. A few examples:
Tools for compressing and sending large files are very popular. Many tools, such as WeTransfer, are often used without involving the IT department.
The same applies to cloud storage services. If collaboration between teams or companies is difficult with standard software, users often work around it by using a Google Drive, Dropbox, or OneDrive account.
For agile project software, creative tools, and planning applications, there are usually many options with capabilities that exceed the internal IT portfolio, if one is available at all.
It is also not only about the uncontrolled installation of software. Shadow IT can also involve hardware purchased directly by an employee or department without involving IT specialists. That helpful colleague who develops an in-house app without IT department involvement also falls under the shadow IT umbrella.
Risks of Shadow IT
It's hard to prevent shadow IT, and it is sometimes used without notice. A 2020 survey by business intelligence provider Statista found, for example, that 42 percent of respondents also use their personal email accounts for work without IT department approval.
Growth is continuing as well. Gartner expects the percentage of employees who purchase, modify, or develop technology without consulting the IT department to increase from 41% in 2022 to 75% in 2027. Gartner, therefore, included shadow IT among the top 8 cybersecurity issues for the coming years.
And with good reason. First, you do not want to install malware along with a convenient application. You also need assurance that applications comply with your own information security and privacy guidelines. In addition, you want certainty that access to the software and data is secured, and for cloud solutions, you want guarantees about where the data is stored.
Beyond these security questions, there are risks to the availability and integrity of your shadow data. Will your files still be available in three months? Are your documents unintentionally in the public domain with a basic subscription? These are important questions that users of shadow IT often do not ask or only investigate superficially.
5 Tips to Counter Shadow IT
Eliminating shadow IT is usually not feasible. We can, however, try to limit its use and bring it under better control. Here are several guidelines:
Shadow IT becomes more manageable when you provide employees with corporate phones and computers. With corporate hardware, you have more control over what software can be installed and what data is stored.
At the same time, even with bring-your-own-device (BYOD), you can enforce usage policies. For example, you can limit session duration so users must sign in again regularly.
In any case, with device management software, you can clearly separate personal content from business apps and folders across all devices.
It is also advisable to actively monitor usage, especially for applications with a heightened risk of misuse.
If you still want to enable employees to build software themselves, for example, for data analysis or process automation, low-code platforms are an option. They enable the IT department to ensure that code is developed and monitored in accordance with policy.
Beyond such measures, awareness remains the most important factor, as it always is in information security. If users are well informed about the risks and considerations of shadow IT, you probably will not eliminate it, but people will make more prudent choices.
Finally, and no less important, actively promote the portfolio of approved applications. Sometimes, people are unaware that certain applications are supported by the IT department and choose an unnecessary, undesirable alternative. Ensure there is a good and accessible service and software catalog, and that software can be requested and adopted easily.
A modern IAM platform can support this. HelloID supports a service catalog. This allows you to streamline software requests and approvals with the relevant manager (s) entirely online. If employees can request and activate software with one click, they are less likely to resort to shadow IT.
[1] Statista: https://www.statista.com/statistics/1203786/employee-company-shadow-it-usage/
[2] Gartner: https://www.gartner.com/en/newsroom/press-releases/2023-03-28-gartner-unveils-top-8-cybersecurity-predictions-for-2023-2024