Archive Data Protection

    What is Shadow IT? Examples, Risks, and Solutions

    How do organizations mitigate risk without full oversight of their IT solutions stack?

    by Emily Schwenke

    Key Points

    • This blog was originally posted on the Aware website, but with the acquisition of Aware by Mimecast, we are ensuring it is also available to visitors to the Mimecast website.
    • Shadow IT poses risks like security gaps, noncompliance, and wasted IT budgets. Unapproved tools can compromise data, disrupt workflows, and violate regulations.
    • Addressing shadow IT starts with understanding why it happens. Employees often use unauthorized tools to work more efficiently; auditing and offering better solutions can reduce these risks.

    Shadow IT is defined as any unauthorized hardware, applications, or software implemented and managed by departments other than IT. With the rise of cloud-based SaaS solutions, shadow IT use has exploded — and could be up to ten times higher than known IT usage.

    Shadow IT often seems innocuous. But it can leave the enterprise open to significant risk. From regulatory noncompliance to data exfiltration, organizations have good reason to want to prevent shadow IT in their digital workplaces.

    Why Do People Use Shadow IT?

    To tackle shadow IT, organizations must first understand what drives employees to use it. Most people want to do their jobs as efficiently and effectively as possible. That means using tools to help speed up repetitive processes, cut through red tape, and make work easier. If the organization doesn’t provide the right tools for the job, employees will go out and find them for themselves.

    Any program can become part of a shadow IT network if it isn’t approved and regulated by the organization. Even — perhaps especially — tools that were built for enterprise use. And sometimes software decisions are nothing more than a matter of personal preference.

    If the enterprise uses Microsoft Teams to communicate but the dev team unilaterally decides to switch to Slack, then Slack becomes part of that organization’s shadow IT. If Marketing uses Pages instead of O365, or Sales uses Dropbox instead of the company-approved file storage platform, they are introducing shadow IT.

    More Examples of Shadow IT

    Greg links his work email to his Outlook account on his personal phone to circumvent security protocols that prevent him from accessing his messages on the road. He shares this tip with his colleagues, who all follow suit.

    Sally prefers managing her schedule through Asana instead of Basecamp. She invites members of her team to join her project and they migrate away from the company-sanctioned tools.

    Jose needs to split a PDF to remove confidential information ahead of a big meeting. He uploads the file to a free website to modify the document. The site works so well that he downloads the freemium tool for future use and encourages the rest of his department to do the same.

    Shadow IT software typically enters the workplace to fulfill an unmet need. When searching for where it exists in your enterprise, consider the common activities that employees perform and the potential roadblocks that make doing their jobs harder.

    • Do they have tools to create and edit common file types?
    • Can they communicate effectively with internal and external contacts?
    • Is it easy to access, share, and collaborate on documents?
    • How many security steps does it take to log into everyday programs?

    Cloud-based applications form the bulk of shadow IT in most organizations. Each department within the enterprise has its own roles and requirements, and they all have dedicated software solutions available. From Marketing to Sales to HR, it’s important to speak to stakeholders across the entire organization to understand all the different IT solutions that are currently in use.

    What is Shadow IT Risk?

    If the purpose of shadow IT is to help employees to work better, what’s the problem? Especially if workers are using programs designed for enterprise use. It’s tempting to dismiss shadow IT as an inevitable part of doing business, and consider its risks overinflated. But without oversight from legal, compliance and IT officers, shadow IT can leave the organization vulnerable to data exfiltration, regulatory noncompliance and more.

    Security Gaps and Data Exfiltration

    Perhaps the biggest risk posed by shadow IT is to your company’s data. When employees use unauthorized programs to store and share proprietary information, the organization loses control over where that data ends up — or who ends up seeing it. That’s a big problem when 83% of IT professionals report their coworkers store company information on unsanctioned platforms (G2).

    Shadow IT case study: The increase in employees working remotely since the onset of the pandemic has gone hand-in-hand with a rise in data leaks. Incidents are up 63%, with exposure from shadow assets increasing 40% in 2021 alone. More than half of all cyber attacks now stem from shadow IT.

    Regulatory Noncompliance

    Also of significant concern to modern enterprises, shadow IT is often used, intentionally or not, to circumvent legal and regulatory compliance measures. Staff members storing or sharing PII/PCI/PHI via private channels won't pass any audits.

    Companies that must abide by rules and regulations such as HIPAA, FINRA, or CMMC 2.0 are particularly vulnerable, but any organization can find itself in hot water due to shadow IT. If you don’t have full oversight of where employees are creating or storing data, you can’t exercise compliance with legislation such as GDPR or CCPA.

    Shadow IT case study: The banking industry was hit with a series of wide-reaching investigations — and record-breaking fines — after the SEC and other regulatory authorities began investigating the use of messaging apps for business purposes. The SEC has long made it clear that the Securities and Exchange Act retention rules apply toward any form of modern communication, including collaboration and messaging apps. Institutions which fail to wrap their arms around all the ways their employees are communicating leave themselves open to massive risk as a result.

    System Inefficiencies

    One of the goals of an IT solutions stack is to integrate programs so employees can work efficiently. But if one team switches to a different application, that can create problems when working with others. Variations in user access and edit permissions between programs can create unnecessary barriers that prevent different departments from collaborating effectively.

    A wider-reaching impact of shadow IT is to bake inefficiencies into the wider tech stack. Without full oversight, IT departments cannot accurately assess capacity and can’t plan for performance and security. Any analysis of the stack is incomplete and therefore inaccurate. And reports on business functions themselves might also be incomplete. This loss of control can lead to major decisions being made based on incorrect data.

    Wasted Expenditure

    The price of software is increasing. With more and more businesses locked into SaaS contracts in place of one-time purchase licenses, IT departments need to manage their costs more carefully than ever. Yet over a third of all software expenditure is wasted, costing U.S. businesses more than $30 billion annually.

    Shadow IT impacts expenditure in several ways. First, most products begin to infiltrate the organization through free personal accounts. But to switch on a popular shadow IT program for business use typically requires enterprise licenses that come at considerable expense.

    Existing software can also go unused if employees prefer shadow IT solutions, contributing to the $30 billion wasted each year. And shadow IT programs don’t always integrate well with the company’s existing IT infrastructure. This creates additional costs for security and compatibility.

    How to Control Shadow IT in the Workplace

    Getting ahead of shadow IT usage is critical for IT leaders looking to secure business data and maximize their budgets. The most important step is to audit the existing tech stack to understand where shadow IT already exists within the business infrastructure. Speaking to different departments across the company is fundamental, as each field uses unique software solutions.

    Consider how to word questions about shadow IT usage to fully uncover a true picture. Four in five employees admit to using unauthorized IT applications for work purposes (G2). Some may not even consider the tools they use to be shadow IT or understand the risks they have introduced. Focus first on discovery, and then on reeducation to control shadow IT effectively.

    How Aware Helps Organizations Manage Shadow IT

    Bringing order to the chaos of remote work environments is what Aware is all about. Our platform provides comprehensive security and insights for collaboration solutions such as Slack, Microsoft Teams and Yammer and Workplace from Meta.

    Protect your organization with AI/ML-infused workflows to monitor for data loss prevention and governance, risk and compliance. Ring-fence multiple collaboration solutions with a tool that works across your ecosystem. Simplify managing your IT stack with automated notifications for unauthorized activity. And manage it all from a single pane of glass.

    To learn more about other risks facing the digital workplace, download our free whitepaper. Discover the top data security threats impacting modern enterprises, and how to take a proactive approach to securing your company data.

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page