What is shadow IT: Benefits, risks, and examples
Learn what shadow IT is, the risks involved, when it’s valuable, and how to set up your organization to manage IT effectively.
Shadow IT is the use of IT hardware or software by an individual without the knowledge of the organization’s IT department.
With the rapid proliferation of mobile devices and cloud services, IT has moved from a tightly controlled environment with strong cybersecurity to an open environment with many stakeholders and movements. Users have become comfortable downloading and using apps and services from the cloud to assist them in their work and will do so with or without company approval.
The result of these developments is the proliferation of shadow IT, which likely takes up a larger chunk of your total software spending than you might think.
SaaS management software can provide both visibility and control of apps throughout the organization.
What are the problems with shadow IT?
Redundant apps, lapsed subscriptions, siloed data, and collaboration inefficiencies are common problems associated with shadow IT. Every new device and application added without IT’s knowledge risks creating a security gap.
Malware can take systems down in the blink of an eye, and one wrong move can leave reams of data unsecured, making the possibility of a data breach a scary thought. A well-intentioned user can do more harm than good, and IT (more specifically, the CIO) will be on the hook for any cyberattacks.
But are there any benefits of shadow IT?
People use shadow IT for a reason: flexibility. One of the more common motivations for a user to choose an “unapproved” app is that it is more efficient and effective than what the IT department has chosen. Chances are pretty good that the employee hired to play a specific role may know more about the tools of their trade than IT.
Despite its security dangers, shadow IT allows end users to quickly and easily source the cloud-based applications they need to be more productive and interact smoothly with co-workers, customers, and partners.
Types of shadow IT
Unmonitored spending on software tools is the most common culprit of shadow IT and is the first that comes to mind for most businesses.
But shadow IT can reach much further than you might first think.
SaaS apps are a pervasive form of shadow IT with their easy access, low barrier to signup, and deceptively insignificant initial cost.
Something as simple as an employee signing up for a free Canva account to draw up a safety sign for their branch could be considered shadow IT, especially if that free account eventually becomes a paid subscription.
Other classic examples of unsanctioned SaaS spending include:
- Communications tools like Slack or Microsoft Teams
- Project management suites like Asana or ClickUp
- Productivity platforms like Trello or Toggl Track
- Document storage platforms like Google Docs or Notion
- Tools for running webinars like Demio or GoToWebinar
Shadow IoT devices and network hardware
The Internet of things (IoT) covers various physical devices that connect to your digital network.
If the IT team doesn’t sign off using these, it’s shadow IT.
Common examples include:
- Wirelessly controlled lights
- WiFi-connected cameras
- Smart appliances and machines like printers and break room refrigerators
- Smartphones where the company has a bring-your-own-device policy
If businesses expand to add new offices or acquire other companies, they often incorporate additional subnets. These can remain unknown to the IT department until their IP addresses are discovered and put under IT control.
Many organizations use virtual desktops to log in to a virtual computer using their device.
The problem is that virtual machines can be created and destroyed with just a few clicks, so many can exist without the explicit consent of an IT professional, resulting in another type of shadow IT.
Local applications are small software tools local to a single device (rather than accessed over the internet like a SaaS platform), such as a KVM (keyboard, video, mouse) management solution.
Examples of shadow IT
Common examples of software purchased without the knowledge of the IT department include:
- Productivity apps (Trello, Slack, Asana)
- Messaging apps on corporate-owned devices (Snapchat, WhatsApp)
- Physical devices (flash drives, external drives)
- Cloud storage (Dropbox, Google Drive)
- Communication apps (Skype, VOIP)
What is the risk of shadow IT?
With the spread of information technology into consumers’ hands, hundreds of these shadow IT applications are used at the typical enterprise. The opacity surrounding each one represents a security gap.
Although some applications are harmless, others include functionality such as file sharing and storage or collaboration, which creates IT security vulnerabilities and can present big risks to an organization and its sensitive data. IT and security departments need to see which applications are being used and the risks they pose.
How to detect shadow IT
There are some technical steps you can take to sniff out shadow cloud and IT services, including:
- Firewall logs
- Web proxy logs
- Data loss prevention tools
- Network-aware monitoring tools
You can set up an automated process with any combination of these tools to alert admins about new cloud usage as soon as it is discovered. However, there might be areas where visibility is limited, and the setup process is a heavy lift.
Mobile creates an extra wrinkle, as SaaS applications do not necessarily travel through your business’s network.
How to prevent shadow IT
It’s not entirely preventable, but there are preventative steps you can take to improve cloud security.
A culture change to a collaborative environment lets IT and business teams share goals and stay aligned. Transparent processes and workflows for requesting new technology and a quick turnaround time for new app requests keep employees feeling heard and productive.
Training regarding internal processes, the risk involved with shadow IT, and transparency around what is in use by other teams will help employees feel empowered to go through the right channels rather than installing their apps.
SaaS management software such as Vendr can help by providing visibility and control of software as a service (SaaS) apps. Vendr allows users to see all SaaS apps in use and who uses them to optimize spending, manage vendors, and provide a central place for data security and compliance. See how Vendr can help.
Shadow IT: A brief history
Enterprise IT was traditionally highly structured, expensive, and limited to a known set of hardware and software vendors. Every project would take a long time (months or years) to implement, typically requiring a lot of custom development to make it all work.
With this history, it’s unsurprising that a company’s internal IT systems strove to reduce variables. It was hard enough to get the solution you paid for to work well. And as long as employees were using desktop computers connected to the corporate network, keeping tight control and reducing variables was relatively straightforward.
As the consumer computer industry grew and accelerated by the rise of the Internet, we began to see a “consumerization” of IT. Employees started using laptops on home networks and on the road. They started relying on their computers and phones for “company” work. This created a massive headache for the traditional IT world that sought control and elimination of variables.
To manage this changing landscape, IT began its long fight against any non-sanctioned technology products. They even created a disparaging term for these unofficial products: shadow IT.
The traditional response to shadow IT was eliminating it and returning control to the centralized process. An entire suite of tools was built to help manage and control shadow IT. Wikipedia lists the typical implications of Shadow IT as:
- Wasted time
- Inconsistent business logic
- Inconsistent approach
- Wasted investment
- Higher risk of data loss or leaks
- Barrier to enhancement
- Organizational dysfunction
- Effect on IT departments
Notice a common thread: They are all negative. This is not an accident. And this pejorative attitude towards shadow IT is pervasive to this day.
SaaS: Pandora’s box for shadow IT
While shadow IT was a problem before SaaS, the proliferation of free, freemium, and inexpensive per-seat service providers resulted in a massive explosion in shadow IT. This trend is exacerbated by shifting employee preferences. Employees are demanding to use their own devices (the massive BYOD trend).
They are demanding better products as usable as the consumer software they’re used to. They want to be able to work from anywhere. When employees are off the corporate network and hardware, traditional tools for managing and fighting shadow IT (e.g., packet sniffing and computer agents) are ineffective.
This desire for tight control has been counterproductive. As IT gets increasingly restrictive, employees simply go entirely outside the view of traditional IT. This exacerbates shadow IT, resulting in a much larger surface area of company tech usage and data sharing that is invisible to IT.
Inverting shadow IT: Enlightened IT
The first step to effectively managing IT in today’s often SaaS-first world is an inversion of the typical attitude towards shadow IT. Instead of focusing exclusively on its negative effects, we should also focus on the many benefits of this new world:
- Leveraging the intelligence of the entire organization, not just IT and leadership
- New product discoveries and quicker org-wide adoption of new tools
- Organic adoption, resulting in employees using the products they want
- Better product discovery as decisions get pushed to users
- Happier and more productive employees
The way to shift focus is to invert the traditional zero-trust attitude towards shadow IT. Start with permission and restrict if needed instead of starting with restriction and approving. Require products to be blacklisted to prevent usage rather than wait for them to be whitelisted.
We call this approach “enlightened IT”. It’s a great way to encourage bottom-up innovation and adoption in an organization. It’s also a better strategic approach to minimize downside risk by seeing everything and reducing blind spots.
How to effectively manage enlightened IT
While it’s essential to invert the traditional IT decision-making process, it’s even more important to do so intelligently, not recklessly. In addition to a new outlook, it requires a different set of tools.
To make this work, you need to be able to:
- Easily capture accurate information on products that employees use, especially when outside company networks or company-owned computers
- Discover product usage across the entire organization, not just traditional decision makers (everyone is a decision maker now)
- Be able and willing to promote and expand products that work well and make employees happier and more productive
- Quickly find and address any security issues to minimize downside risk
- Be easily able to kill what’s not working or what’s not up to security or compliance guidelines
With that in place, you can begin a simple analysis of products discovered across the organization. They should fall into one of four buckets:
- Expand: Usage and adoption of products by teams and individuals can result in finding and choosing products that make the entire company happier and more productive. Products that meet these characteristics should expand to more users and teams and be brought into the core stack.
- Allow: A more open policy allows for many more products that may not necessarily need to be expanded but serve a particular function for a particular team and can go on doing so in a self-supported way. Many department-specific tools, such as marketing lead enrichment, fall under this bucket.
- Research: This is the most critical part of the enlightened IT framework. Experimentation with new apps is excellent and should be allowed and encouraged. However, monitoring and research are still critical. Products with access to sensitive information, e.g., financial contracts and PII (personally identifiable information), should be more closely vetted to ensure they meet your internal security requirements. After that initial research, then expand, allow, or restrict.
- Restrict: Certain apps may permanently be restricted by your particular organization. Due to industry-specific compliance needs, team sensitivities, or proactive decisions to consolidate specific tools. The appropriate framework considers these restricted apps as a specific “blacklist.” The default for a new app is to be able to test it, but certain products can be blacklisted.
Changing an organization's culture to encourage bottom-up adoptions and more permissionless innovation requires buy-in from various teams, especially IT. If you can make this change and leverage product intelligence across the entire organization, you’ll likely have happier, more productive employees and fewer worries about shadow IT.