Shadow IT is a term that refers to digital systems, devices (e.g., personal computers (PCs), laptops, tablets, and smartphones), software, applications (i.e., usually off-the-shelf packaged software), and services (i.e., predominately software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS)) that are used within an organization without the knowledge of the IT department.
Malware or other malicious assets planted by cybercriminals are not considered shadow IT. Shadow IT only encompasses unsanctioned assets deployed by authorized users.
The steep rise in shadow IT is attributed to the pervasive use of mobile devices and cloud-based applications and services. And, although shadow IT can improve employee productivity and drive innovation, it generates serious vulnerabilities and security risks as it expands the unknown parts of an organization’s attack surface, creating opportunities for cyberattacks and compliance violations.
Causes of shadow IT
The consumerization of technology is a root cause of shadow IT. The low cost and accessibility of IT resources have led to an explosion of shadow IT.
In some cases, the decision to acquire and use shadow IT is deliberate. Users explicitly circumvent IT to procure solutions that IT has disallowed or to access a solution perceived as better than sanctioned resources. Users may also acquire resources without alerting IT because the approval and procurement process is deemed too onerous.
In many cases, users are not willfully excluding their IT department from evaluating resources; they simply sign up to use a system at the behest of partners or other external entities or use systems they use at home or in other organizations.
Shadow IT can also occur when users create websites outside the corporate domain for development or one-off projects. Bring-your-own-device (BYOD) and working from home are other sources of shadow IT.
Shadow IT examples
As the examples below illustrate, shadow IT does not mean the resources are inherently non-secure. The issue with their use lies in the fact that IT does not know they exist and, therefore, cannot protect them. Common examples of shadow IT include:
Any application used for business purposes without involving the IT group, such as applications for:
- Cloud storage
- Collaboration
- Communication and messaging
- Document proofreading
- File sharing
- Productivity
- Project management
- Social media management, as well as
Employees’ personal devices
- Laptops
- Phones
- Storage devices (e.g., USB drives and external hard drives)
- Tablets
Shadow IT risks
While shadow IT is adopted for the benefits provided by the selected tools, shadow IT assets increase cyber risk by creating vulnerabilities that fall outside the reach of security systems, including the following.
Collaboration inefficiencies
Shadow IT introduces systems that are not used across an organization. This creates collaboration issues related to communications and data sharing, since shadow IT often is not integrated with sanctioned systems and workflows.
Compliance violations
Shadow IT rarely meets the stringent compliance requirements of regulations such as the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and General Data Protection Regulation (GDPR). This only puts data at risk, but exposes organizations to fines and penalties related to compliance violations.
Data inconsistency
When data is spread across shadow IT, it falls outside IT’s centralized management. This results in the creation and propagation of unofficial, invalid, or outdated information as well as creates versioning issues.
Data insecurity
When sensitive data is stored on, accessed by, or transmitted through shadow IT systems and applications, the risk of data breaches or leaks increases significantly. In addition, data stored outside of sanctioned IT systems is not included in backups, putting it at risk of irrevocable loss in the event of a failure or attack.
Lack of IT visibility and control
Because shadow IT often goes undetected by security teams, organizations are exposed to unknown vulnerabilities commonly exploited by cybercriminals.
Operational inefficiencies
Shadow IT often does not integrate easily with sanctioned IT infrastructure. The result is workflow obstacles and challenges in sharing and synchronizing information. In addition, conflicts can arise when IT-sanctioned solutions are introduced that interfere with or interrupt shadow IT that users rely on for day-to-day operations.
Security issues
Shadow IT introduces security gaps that can undermine even the most sophisticated protections.
Shadow IT benefits
Although shadow IT has risks, its users tout its benefits as a reason for using it, including that it:
- Allows employees to use the best tools for their jobs
- Eliminates time and productivity bottlenecks related to getting approval from IT for new systems
- Enables teams to be more agile in responding to business changes
- Facilitates the rapid adoption of new technology
- Facilitates the launch of new systems in just minutes
- Improves productivity by allowing employees to use the tools with which they are most comfortable
- Increases employee satisfaction by letting them use the tools they like
Shadow IT FAQ
Why do employees use shadow IT?
Three of the most commonly cited reasons that employees use shadow IT are:
- IT takes too long to approve new systems.
- Security policies inhibit them from getting their job done.
- Shadow IT increases their efficiency.
Are shadow IT and malware the same thing?
Shadow IT and malware are not the same thing. Although shadow IT can be a source of malware infiltration, it is not malware.
Shadow IT is associated with malware because cybercriminals often target shadow IT with malware and ransomware as it is considered to be a weak access point. This is because shadow IT usually lacks the security controls that protect sanctioned IT systems.
How should organizations mitigate shadow IT risk?
Although it is nearly impossible to eradicate shadow IT, best practices for mitigating it include improving the user-friendliness of IT-sanctioned resources by:
- Educating employees about the risks of shadow IT
- Ensuring easy access to the resources employees need, including those accessing them remotely
- Making a list of IT-approved vendors and services that are easily accessible
- Performing SaaS assessments to proactively detect shadow IT
- Prioritizing user experience (UX)
- Providing support for integrating tools
- Streamlining user account
- Using operating systems with which employees are comfortable
Compromising to minimize shadow IT risks
Although IT departments want employees to use sanctioned systems so that they can be protected with corporate security controls and included in overarching operational and budgeting plans, some departments have determined that strict control over what systems are sanctioned and how this is achieved has driven users to shadow IT.
As a result, some organizations choose a more open approach to shadow IT systems that benefits everyone concerned: IT teams determine what is used and how best to protect it, and users have access to the tools they want and need.
Although this type of compromise is not easy, working together is one way that users and IT can find ways to mitigate the risk of shadow IT.
