What is Shadow IT?
Shadow IT is a term used to describe IT systems, applications, or services that are used within an organization without the explicit approval, knowledge, or oversight of the IT department or the organization’s management. It typically arises when employees or departments adopt and use software, hardware, or cloud services for their specific needs without going through the official IT procurement or security processes.
As the nomenclature “shadow” implies – these IT activities exist in the background or hidden from the official IT infrastructure and support. Whilst it can mean dark and sinister things are afoot – often it is simply employees using an application without IT’s knowledge. However, while individuals or teams may resort to shadow IT with good intentions, such as finding quick solutions to address their specific needs or improving productivity, it can also create several challenges and risks for the organization, including:
- Security risks: Shadow IT often lacks proper security controls and may expose sensitive data or systems to potential breaches, hacks, or data leaks. When a solo employee subscribes to a SaaS app to perform a certain task it is unlikely that they will also put in place a procedure to delete their access when they leave a company and transfer access to a colleague.
- Data loss: When IT systems are not centrally managed, data may be stored in unsecured locations, leading to data loss or accidental data deletion. It may not even be an actual data deletion problem simply that the one individual who implemented a tool leaves the company and nobody else knows where the data is or the account login details.
- Unreliable / Flaky supplier: Many SaaS based apps are produced by startups and small companies and run on rented co-lo or cloud hardware. If the company goes bust in a poofy cloud of venture capital fueled smoke or gets hacked – you have a problem.
- Unsupported or unpatched: Freeware version of tools easily accessible to the individual often come with no support commitments, can be withdrawn on a whim, may not feature certain security features and may even be the test system for the commercial paid version of the tool and not subject to the same security hardening, patching and testing as the paid version.
- Lack of integration: Shadow IT applications may not be well-integrated with the rest of the organization’s systems, leading to data silos and inefficiencies. Folks may cut-n-paste bits of information into the official systems which become desynchronized from the reality of what is happening in practice.
- Compliance issues: Organizations may face compliance and legal problems when using unapproved software or services that fail to meet regulatory requirements. SaaS tools with web frontends are often hosted in a US cloud and don’t meet GDPR type compliance needs in Switzerland or Germany. Increasingly potential customers are including RFI (Request for Information) questions that include whether a supplier has processes in place to approve and evaluate applications they use.
- Increased costs: The use of multiple uncoordinated IT solutions can lead to duplication of efforts and increased costs for the organization. Many SaaS tools are free to encourage uptake but when used in anger at scale will require an upgrade to a paid tier.
At the extreme of the “Shadow IT” spectrum is something I called “Black Hole IT”, stuff the IT team has zero visibility on because folks are using applications and infrastructure completely out of corporate control – for example: communicating with colleagues or customers on personal mobile phones for calls or via personal WhatsApp.
Organizations unaware of shadow IT usage or who fail to address it may incur hefty regulatory fines and face lawsuits that damage their brand reputation, see: Banks Fined $549 Million Over Use of WhatsApp and Other Messaging Apps – The New York Times (nytimes.com).
For another take on the potential costs of Shadow IT, see: 14 potential costs of shadow IT | TechTarget.
SaaS and Cloud fuel Shadow IT
Cloud services, especially SaaS, have become a significant category of shadow IT. With a wealth of services and apps available, often as freeware, in many organizations staff members routinely install and use them without involving the IT group.
Ideally, everyone in an organization should understand SaaS tools need to be vetted and assessed by qualified individuals. We recently wrote an article to help IT teams assess SaaS vendors and products, see: Should I Trust a SaaS Vendor or Product?.
What applications are frequently used as Shadow IT?
Several types of applications are frequently found as shadow IT within organizations, the most commonly found are:
- Cloud storage and file-sharing services: Employees often turn to cloud storage and file-sharing platforms like Dropbox, Google Drive, or OneDrive to store and share files conveniently. These services provide easy access to files from various devices but may not always comply with the organization’s security policies.
- Messaging and collaboration tools: Employees may use instant messaging platforms like Slack or Microsoft Teams to communicate and collaborate with colleagues. While these tools can improve team productivity, their use outside official channels may pose data security risks.
- Note-taking and productivity apps: Tools like Evernote, Trello, or Asana are commonly used by employees to organize tasks, notes, and projects, which may not be approved or supported by the IT department.
- Personal email accounts: Employees might use personal email accounts, such as Gmail or Yahoo Mail, for work-related communications when they feel the official email system is too restrictive or inconvenient.
- Project management software: Various project management tools like Basecamp, Wrike, or Monday.com can help teams organize and track projects, even if they haven’t been vetted or approved by IT. Often, only paid higher tiers offer enterprise security features and these may not be compatible with existing company strategy e.g., based around Google SSO where an organization has a Microsoft SSO strategy.
- Video conferencing tools: With the rise of remote work, employees may adopt video conferencing tools like Zoom, Skype, or Google Meet without the IT department’s explicit approval.
- Analytics and data visualization tools: Business analysts and data-savvy employees may use tools like Tableau, Power BI, or Google Analytics for data analysis and reporting.
- Personal productivity software: Individual employees might use personal productivity tools like Microsoft Office 365 or Google Workspace to streamline their work, even if the organization hasn’t officially adopted them.
- Image processing apps: There are a wealth of free tools out there that can jazz up photos or generate diagrams / infographics for websites and PowerPoint presentations – but if the slide an employee sends to them is your confidential finance briefing slide or your top-secret silicon chip IP diagrams – you have a potential security and / or compliance issue.
- AI technologies and tools: Many are turning to consumer-friendly AI tools such Chat-GPT and using them in a similar way to google especially to write marketing and documentation. However, beyond this some are using it to re-write code which means they are inputting their own code (and potentially company proprietary IP) into such systems. Some other file sharing tools such as Dropbox will use customer data for training AI tools too, alibi only with consent – however whether the person consenting understands what they are doing may be questionable if the IT team isn’t involved.
- BYOD: Use of personal laptops, tablets and smartphones (BYOD, or “bring your own device”) is widely considered to also constitute shadow IT, especially if those devices are used for work purposes without following company protocols.
For those interested in corner-cases and nuances, Evan Schuman’s article is insightful, see: The shadow IT fight — 2023 style | Computerworld.
Is AI a concern for Shadow IT?
Very much so. It was widely reported how Samsung workers unwittingly leaked proprietary and confidential data by using ChatGPT to help them with tasks. Engineers at Samsung’s semiconductor arm used the AI tool to help fix problems with their source code. But in doing so, the workers inputted data, such as new in-development source code and internal meeting notes data relating to their hardware. See: Samsung workers made a major error by using ChatGPT | TechRadar.
A succinct summary on this growing genre of Shadow IT is covered in: Shadow IT Is Growing in the Age of ChatGPT.
EUC veteran Brian Madden has also written on this subject and the challenges in trying to close this particular Pandora’s box, see: The Consumerization of IT roars back, and this time they have AI! | LinkedIn.
Brian Jackson at Forbes recently wrote about how many organizations are now taking steps to implement policies and controls around LLM (Large Language Model) type AI applications such as Chat-GPT, see: How To Avoid Fueling ‘Shadow AI’ With The Right Policy For Generative AI Chatbots (forbes.com).
How can you solve the Shadow IT problem?
Shadow IT is fundamentally a cultural problem. To address shadow IT, organizations need to look to fostering a culture of openness and collaboration between IT and other departments. IT departments need to be approachable and responsive, working with employees to understand their needs and providing approved alternatives that meet those requirements.
Implementing appropriate IT governance, policies, and security measures can help minimize the risks associated with shadow IT while still enabling innovation, creativity and efficiency. However, most Shadow IT issues are caused by well-meaning employees simply not understanding the implications of their actions and staff training and education is probably the most effective approach.
Why do people use Shadow IT?
To tackle Shadow IT, you need to understand the motivations of those who are installing software without involving the IT team. Some common reasons people might engage in Shadow IT include:
- Speed and Agility: Shadow IT can allow departments or individuals to quickly adopt tools and technologies they believe will improve their productivity without waiting for IT department approval, which may involve lengthy processes.
- Specialized Needs: Some teams have specific needs that they feel standard IT solutions cannot adequately address. They might turn to Shadow IT to find tools that better align with their unique requirements.
- Ease of Use: Some employees may find certain technologies or software solutions more intuitive or user-friendly than what the IT department provides, making them more likely to use those tools. New employees may naturally wish to use the same familiar tools they had provided at a previous employer rather than overcome the learning curve associated with unfamiliar tools.
- Lack of Awareness: In some cases, employees might not be aware of the official IT-approved tools that could fulfill their needs, leading them to find their own solutions. Many employees will have little understanding of the work that IT departments do to assess tools for longevity, backup and security.
- Perceived Bureaucracy: Organizations with complex or slow IT approval processes might drive employees to adopt Shadow IT as a way to bypass what they perceive as unnecessary red tape.
- Experimentation: Employees might experiment with new tools or services to see if they can enhance their productivity or find innovative ways of solving problems.
- Siloed Information: Different departments or teams might have their own technology budgets or resources, leading to the adoption of tools without central IT oversight.
- Remote Work and Mobility: The rise of remote work and mobile technologies has made it easier for employees to access and adopt tools that might not be officially sanctioned by IT.
How can an organization tackle the challenges of Shadow IT?
Organizations need to strike a balance between enabling employees to find tools that enhance their productivity and maintaining proper governance, security, and control over their technology landscape.
To address Shadow IT, organizations can take several steps, such as:
eG Enterprise is an Observability solution for Modern IT. Monitor digital workspaces,
web applications, SaaS services, cloud and containers from a single pane of glass.
- Communication and Education: Educate employees about the approved IT solutions and their benefits, so they are aware of the resources available to them. Ensure employees are trained to use any tools provided.
- Streamlined Approval Processes: Make IT approval processes more efficient to prevent frustration and delays that might lead to Shadow IT adoption.
- Collaboration: Foster collaboration between IT and other departments to understand their needs and work together to find suitable solutions.
- Security Measures: Implement robust security measures and policies to protect against potential security vulnerabilities introduced by unauthorized tools.
- Block SaaS URLs: Most organizations maintain black and/or whitelists of websites and services they do not want employees using. This can be effective both in preventing the use of SaaS tools and alerts individuals to the fact they may be doing something unsanctioned. Tools such as eG Enterprise will allow you to monitor browser usage and URLs accessed if required.
- Centralized Management: Provide a centralized platform or portal where employees can request new tools or technologies, allowing IT to evaluate and approve them if appropriate.
- Regular Audits: Periodically assess the technology landscape to identify and address any Shadow IT that might have been adopted. Tools such as Microsoft Defender for Cloud Apps can help organizations assess Shadow IT exposure, see: Discover and manage Shadow IT – Microsoft Defender for Cloud Apps | Microsoft Learn.
- Monitor for Signs of Shadow IT in use: Employee behavior and workflows continuously evolve alongside the IT tools themselves. Good observability and monitoring tools can give insights into the first signs of Shadow IT usage. Monitoring official UC (Unified Communication) tools usage can be insightful, if employees are rarely using the provided tool such as MS Teams it is often worth investigating how they are communicating.
eG Enterprise is an Observability solution for Modern IT. Monitor digital workspaces,
web applications, SaaS services, cloud and containers from a single pane of glass.
Learn More
- 5 Tips for Managing Shadow IT | CSA (cloudsecurityalliance.org)
- Monitoring Microsoft Teams and similar tools can reveal Shadow IT communications, see: Microsoft Teams Monitoring – Tools & Strategies (eginnovations.com).
- Taking an app-centric approach can be one part of a strategy to counteract Shadow IT usage, with the side-benefits of improving the digital employee experience, see: Application-Centric EUC Monitoring is Key to Digital Employee Experience (DEX) | eG Innovations.