Understanding and tackling shadow IT

What is shadow IT?

Shadow IT refers to information technology resources — such as hardware, software, or cloud computing tools — used within an organization without the approval or knowledge of the central IT department.

As these IT resources fall outside official processes and policies, they can pose a security risk that might result in data leaks or malware proliferation. Without clear visibility into this unsanctioned IT, risk management within your corporate network becomes increasingly challenging as potential vulnerabilities are harder to identify.

Shadow IT usage is typically due to employees having difficulty meeting their responsibilities with sanctioned tools and services — it’s rarely the result of malicious intent. It can manifest across organizations of various sizes in many ways:

• Cloud storage and file sharing – Employees may use free or personal accounts for services like Google Drive or Dropbox to store work documents instead of the organization’s approved platform, due to lack of storage space or difficulty sharing files externally, increasing the risk of data loss.
• Communication and collaboration tools – Teams might use messaging apps like WhatsApp or Slack for internal communication over sanctioned channels, which are harder to monitor and may lead to data protection and compliance issues.
• Unsanctioned software – From project management tools like Trello to productivity apps like Google Docs, departments might deploy all manner of software without following the organization’s official IT procurement process. This is often because permitted tools and services don’t provide the required functionality, or the process for requesting new software is ineffective or slow.
• Personal devices – Employees may use their own laptops, tablets, or smartphones to access sensitive data. This may be permitted in BYOD (bring your own device) environments. However, devices can still fly under the radar, lacking security measures like antivirus software and increasing your attack surface as a result.

The damage caused by shadow IT

It’s true that the benefits of shadow IT can sometimes address immediate needs and improve productivity within your workforce. However, its unsanctioned nature can be a major concern for Chief Information Officers (CIOs) over the long term across a range of areas:

Security risks

Unapproved software and hardware within your IT ecosystem poses a significant SaaS security posture management risk as it often lacks the robust security policies implemented by IT teams such as endpoint protection or access controls. This increases the risk of cybersecurity threats like malware, phishing attacks, ransomware, or unauthorized access to sensitive data. Even popular solutions like Microsoft 365 can be risky if deployed without control.

Furthermore, shadow IT applications may not comply with industry regulations such as GDPR or HIPAA, leading to hefty fines and reputational damage in the event of a data breach.

Financial concerns

There are significant financial risks of shadow IT — primarily unmanaged spend within your organization. Employees may purchase software and subscriptions using personal credit cards, bypassing budget controls and creating hidden costs.

Auto-renewals on free trials or subscriptions for shadow IT services can lead to unnoticed recurring charges. Dependence on unsanctioned tools can also make switching to approved solutions costlier further down the line.

Operational challenges

Management of unsanctioned software or hardware is inherently difficult, with IT departments lacking control over provisioning, updates, and maintenance. Shadow IT can complicate onboarding and offboarding processes, increasing security risks and potential for data loss.

It’s additionally often hard to integrate these platforms with existing IT infrastructure, hindering workflows and collaboration within your organization.

Productivity impact

Shadow IT and unauthorized tools create inconsistencies in how teams work across an organization, causing inefficiencies, confusion, and poor connectivity with the rest of your computing architecture.

It can create a significant support burden on IT staff, who end up wasting time troubleshooting tools they’re unfamiliar with. Additionally, lack of proper training with unsanctioned software may reduce employee productivity.

Vendor reliability

As shadow IT happens outside of the organization’s standard procurement process, there’s no guarantee the service provider meets requirements around uptime, customer support, or updates. This can lead to unexpected outages or disruptions to critical business activities.

This unsanctioned procurement usually comes with a lack of due diligence, increasing the risk that a vendor may suddenly discontinue or change the pricing of products and services that employees have come to rely on.

How to take control of IT purchasing and eradicate shadow IT

Complete elimination of shadow IT within your organization is an unrealistic expectation, but there are plenty of ways to minimize its presence and regain control. Here are some best practices to consider.

1. Identify employee needs

If you want to reduce the use of shadow IT, you need to understand why end users resort to it in the first place. Approved solutions may not offer adequate functionality or a strong user experience. By identifying where your sanctioned tools may be lacking, you can fill in the gaps before shadow IT becomes prevalent.

2. Avoid overzealous security policies

Sometimes it’s necessary to keep a tight grip on your IT systems, but it’s important to strike the right balance. If your security policies are too restrictive, staff are more likely to circumvent them with shadow IT.

3. Simplify procurement

Streamlining your organization’s procurement cycle means less time to acquire new tools, helping you meet employee needs before they resort to shadow IT. Introducing a self-service portal makes it even easier for your staff to browse and request approved IT resources efficiently.  

4. Monitor and evaluate usage

Asset management tools and network scanners can help you keep tabs on IT usage within your organization and uncover unsanctioned devices. Furthermore, monitoring usage and uptake can help you identify areas for improvement within your existing offerings and policies. Ensuring complete SaaS visibility is fundamental here.

5. Implement cybersecurity solutions

Robust access controls can prevent unauthorized devices from accessing your network, and proper endpoint protection can protect your assets should an attacker gain entry via shadow IT. Consider using a cloud access security broker (CASB) to govern permissions and usage of SaaS applications across your organization.

6. Increase awareness

Educate your employees about shadow IT risks and the importance and benefits of using approved tools. Remember — use of shadow IT is rarely malicious, and it presents an opportunity to develop a more positive cybersecurity culture within your organization.

7. Develop clear policies

Establishing straightforward guidelines on acceptable and unacceptable uses of technology will help your employees make informed decisions and understand when they might be breaking company policy.

8. Foster open communication

Use of shadow IT is often due to shortfalls in your existing stack. Encouraging dialogue between employees and IT departments can uncover problems or frustrations with approved IT resources, enabling organizations to better equip their staff to maximize both productivity and security.

Maintain visibility over your organization’s SaaS sprawl with Vertice

Shadow IT is an inevitability within most organizations, but it becomes a particularly significant challenge when it goes unchecked. Reducing the risks is near impossible without clear insight into the tools and applications your employees use.

One way to maximize stack visibility is through a management tool such as Vertice’s SaaS Purchasing Platform. Our solution gives you granular user-level insights into all the software and services employees are accessing — both approved and unsanctioned.

On top, the SaaS Purchasing Platform helps your business identify unused licenses and eliminate wasted SaaS spend. It can even save you money during the acquisition or renewal of your cloud-based solutions. By letting our experts assist with your procurement operations, we can negotiate more favorable pricing using our market intel on what other companies are paying. To get started, simply get in touch using the contact form below.