Shadow IT Defined
Shadow IT is the use of information technology systems, devices, software, applications, and services without explicit IT department approval. It has grown exponentially in recent years with the adoption of cloud-based applications and services.
While shadow IT can improve employee productivity and drive innovation, it can also introduce serious security risks to your organization through data leaks, potential compliance violations, and more.
Why Employees Use Shadow IT
One of the biggest reasons employees engage in shadow IT is simply to work more efficiently. A 2012 RSA study reported that 35 percent of employees feel like they need to work around their company's security policies just to get their job done. For example, an employee may discover a better file-sharing application than the one officially permitted. Once they begin using it, use could spread to other members of their department.
The rapid growth of cloud-based consumer applications has also increased the adoption of shadow IT. Long gone are the days of packaged software; common applications like Slack and Dropbox are available at the click of a button. And shadow IT extends beyond work applications to employees’ personal devices such as smart phones or laptops, aka Bring Your Own Device (BYOD).
Shadow IT Security Risks and Challenges
The bottom line is that if IT isn’t aware of an application, they can’t support it or ensure that it’s secure. Industry analyst firm Gartner predicts that by 2020, one-third of successful attacks experienced by enterprises will be on their shadow IT resources. While it’s clear that shadow IT isn’t going away, organizations can minimize risk by educating end users and taking preventative measures to monitor and manage unsanctioned applications.
Shadow IT isn’t all inherently dangerous, but certain features like file sharing/storage and collaboration (e.g., Google Docs) can result in sensitive data leaks. And this risk extends beyond just applications—the RSA study also reports that 63 percent of employees send work documents to their personal email to work from home, exposing data to networks that can’t be monitored by IT. Beyond security risks, shadow IT can also waste money if different departments are unknowingly purchasing duplicate solutions.
Benefits of Shadow IT
Despite its risks, shadow IT has its benefits. Getting approval from IT can require time employees can’t afford to waste. For many employees, IT approval is a bottleneck to productivity, especially when they can get their own solution up and running in just minutes.
Having IT act like an Orwellian “Big Brother” isn’t always conducive to productivity and distinguishing between good and bad shadow IT may be the best compromise. Finding a middle ground can allow end users to find the solutions that work best for them while allowing IT to control data and user permissions for the applications. This lessens the IT department's burden; if end users don't need to request new solutions, that frees up IT’s time to focus on more business-critical tasks.
Popular Shadow IT Examples
Applications: Dropbox, Google Docs, Slack, Skype, Excel Macros, Microsoft Office 365
Hardware: Personal laptops, tablets, and smartphones