Shadow IT

Shadow IT is something that, in cloud-based and app-driven environments, has become a growing problem for businesses, but also something employees need to understand the risks of. Shadow IT and similar issues like lateral movement can occur with the blurring of lines between work and personal technology use and password sharing. 

Below is a guide to shadow IT and its potential implications. 

The Basics

Shadow IT is a term referring to the use of IT systems, software, applications, devices, and services without the approval of an IT department. Shadow IT has become increasingly common with the growing usage of cloud-based services and applications. 

In some ways, shadow IT can be beneficial. For example, it can help with productivity. At the same time, it creates significant security risks and possible compliance and regulatory violations. 

One of the biggest reasons employees say they use shadow IT is because it helps them work more efficiently. Many employees report feeling like they have to work around security policies set by their employer to get their job done effectively. 

An example might occur if an employee starts using a file-sharing or collaborative app they think is better than the one their employer officially allows. Then, once one employee uses it, there’s a high likelihood others will. 

Cloud-based applications for consumers have led to more adoption of shadow IT too. For example, you can use applications like Slack with simply the click of a button. 

Shadow IT goes beyond work applications. It also includes the personal devices of employees, particularly under Bring Your Own Device (BYOD) policies. 

Some scenarios you might not even think about can actually fit into the category of shadow IT. For example, if someone in a business buys a consumer router because they need it fast, this becomes shadow IT. Using personal devices to connect to the business network is another example, although SaaS applications and services are, by and large, the biggest examples. 

What Are the Risks of Shadow IT?

Some of the most salient risks that an organization can face because of shadow IT include:

  • Data compromise: The biggest risk of shadow IT is compromised data. If you’re using SaaS services to store company information or share it, then it could lead to unauthorized data access. Unauthorized data can occur because of poor security protocols of the SaaS service or because you’re sharing the data inappropriately outside of the company. Another reason that there could be data loss is an inability of an employer to implement identity and access management policies and relevant controls, or there could be a permanent loss of data since employees are much less likely to create backups. 
  • Noncompliance: If you’re an employee, you have to be compliant with the industry you work in. Regulatory compliance is relevant now to even companies that aren’t typically thought of as being in closely-regulated industries. For example, California’s Consumer Privacy Act and the EU’s General Data Protection Regulation (GDPR) both make compliance a priority for businesses across the board. With shadow It, compliance is increasingly difficult. 
  • Security: With shadow, IT, the business or IT team isn’t accessing the SaaS services’ security measures in the first place. There aren’t going to be mitigation measures that the employer can put in place as they use for their own IT architecture because they’re not managing them. Along with weak security practices from the SaaS service itself, unpatched vulnerabilities, a lack of visibility into an increased attack service, and weak or unsecured passwords are also specific risks. 
  • Cost: From the business perspective, estimates show that almost 1/3 of SaaS licenses aren’t used or are underused, meaning inefficiency and unneeded expenses. 

What Can Employers Do?

From the employee standpoint, dealing with shadow IT and its subsequent risks is somewhat simple. You can stop using unapproved apps or SaaS services. 

From a business perspective, it can be more difficult. 

Businesses need to work to get visibility into their entire SaaS ecosystem. 

Organizations need to work on ensuring identity is at the core of their approach to risk management. They also need to put all SaaS apps under a centralized governance and management process. 

Once employers recognize the risks of shadow IT and start to figure out how prevalent it is, they can create an approach that will have multifactorial benefits.

With the modern workplace continuing to evolve and change, undoubtedly, hybrid and remote models are the way forward, but this is only going to make the risks of shadow IT greater. Employers need to recognize what they’re up against and why employees are turning to these other apps and solutions and find what’s going to speak to their needs for efficiency before they can truly have a fully visible picture of all cybersecurity risks.