Shadow IT
In this article
What is shadow IT?
Shadow IT refers to the use of software and other technologies that have not been approved by an organisation’s IT department. Many employees use shadow IT, often unknowingly. For example, there are organisations where only Signal is officially allowed as a messaging app, but people still use WhatsApp without thinking about it.
Origins of shadow IT
Shadow IT is not a new phenomenon. Even back when employees worked solely in the office on their desktop computers – without the internet – people brought disks or USB sticks to install a ‘handy tool’ every now and again. However, in recent years, the use of shadow IT has become much more popular. Several trends have directly contributed to this:
- Cloud computing is a significant driver. You can easily download an application online, simply install an app, or create an account giving access to a SaaS service.
- Financially, it is also very accessible, as in many cases you can get started with a free basic account.
- Following the pandemic, remote working has become more common; everyone is increasingly used to setting up their own workspace and choosing their own tools.
- The use of personal devices (BYOD or Bring Your Own Device) is also a contributing factor. You can often install software on your own smartphone or laptop without restrictions; personal and business use overlaps.
How does shadow IT arise?
However, the ease of using shadow IT does not necessarily explain why it is so prevalent. It is not so much about a reluctance to follow the IT department’s rules, but for other reasons:
- More comfortable ways of working: If you get a tip about a new tool that allows you to do something faster or easier, it is tempting to install and try out the app.
- IT limitations: The IT department is often already busy with existing and strictly necessary applications. There is simply no time to meet additional user needs.
- Drive for innovation: Increasingly, employees are ‘digital natives’ who are constantly looking for innovations. And innovative apps are entering the market at an ever-faster pace.
- User-friendliness: Novel applications are often developed with the user experience as the starting point. Conventional business applications often score much lower in this regard.
- Procedures and policies: In some organisations, it is difficult for employees to request additional software. Licensing costs, policies and manual processes make the process cumbersome. Because of this, an online download quickly becomes appealing.
In short, shadow IT often meets a need that the internal IT department cannot fulfill, and internal policies and application procedures do not help either. This makes it challenging to completely eliminate shadow IT.
Examples of shadow IT
Shadow IT usually does not involve enterprise applications used by everyone, such as CRM packages and financial systems. Given all the surrounding processes and linked systems, it is unrealistic to seek an alternative for these without involving the IT department. However, for applications that can be used more at one’s discretion, shadow IT is much more tempting. A few examples:
- Tools to compress and send large files are very popular. Many tools – such as WeTransfer – are often used without involving the IT department.
- The same applies to cloud storage services. If collaboration between teams or companies is difficult with the regular software, users quickly solve it with a Google Drive, Dropbox or OneDrive account.
- For agile project software, creative tools and planning applications, there are usually plenty of alternatives available that often offer slightly better options than the in-house IT range, if there is even any available.
Moreover, it is not just about the ‘uncontrolled’ installation of software. Shadow IT can also involve hardware that is directly purchased by an employee or department without involving IT specialists. And that handy colleague who develops their own app without IT department involvement also qualifies as shadow IT.
Risks of shadow IT
Shadow IT is almost impossible to prevent and is sometimes used almost unnoticed. For example, a 2020 survey by business intelligence provider Statista found that 42 percent of respondents used their personal email accounts for work purposes, without IT department permission.
Moreover, the growth is continuing. The percentage of employees who purchase, modify or develop technology without consulting the IT department is expected to grow from 41% in 2022 to 75% in 2027, according to Gartner. Gartner also included shadow IT as one of the top 8 cybersecurity issues for the coming years.
And with good reason. Firstly, you do not want to install malware along that handy application you just downloaded. You also want to ensure that applications comply with internal guidelines for information security and privacy. Additionally, you want to ensure that access to software and data is secure and you want guarantees about where data is stored with cloud solutions.
Besides these security concerns, there are also risks related to the availability and integrity of your ‘shadow data’. Will your files still be available in three months? Will your documents not unintentionally become public domain with a basic subscription? These are important questions that shadow IT users often do not ask or only briefly consider.
Tips to combat shadow IT
Completely eliminating shadow IT is usually not possible. However, we can try to limit its use and better control it. Here are a few tips:
- Shadow IT becomes more manageable if you provide employees with company phones and computers. With company hardware, you have more control over the software that can be installed and what data is stored.
- At the same time, you can enforce usage rules for Bring Your Own Device (BYOD). For example, you can limit session length so that people have to log in again regularly.
- Thanks to device management software, you can create a good separation between personal and business apps and folders on any device.
- It is also wise to actively monitor usage, especially for applications with an increased risk of misuse.
- If you still want to allow employees to develop their own software, for example for data analysis or process automation, low-code platforms are an option. This ensures that the IT department can develop and monitor code according to guidelines.
Apart from such measures, awareness remains the most important, as always with information security. If users are well informed about the risks and considerations of shadow IT, you probably will not completely eliminate it, but people will make wiser choices.
Finally – but no less important – it is crucial to actively promote the internal portfolio of approved applications. Sometimes people do not even know that certain applications are supported by the internal IT department and unnecessarily choose an unwanted alternative. Make sure there is a good and accessible service and software catalogue available, and that software can be easily requested and used.
A modern IAM platform can support this. For example, HelloID supports the use of a service catalogue. This allows you to streamline the process of software request and approval by the relevant manager(s) entirely online. If employees can request and activate software with one click, they are less likely to look for shadow IT.
Because shadow IT is used without the IT department being able to assess the security and stability of the software, its use poses risks to network security, information security and privacy.
The IT department does not have a standard solution available for every user need. In those cases, users often look for a shadow IT solution.
Shadow IT often does not comply with ISO 27001 guidelines, as the lack of control and oversight of the software poses security risks.
A low-code platform is a development environment that allows users to easily develop applications and integrations without programming knowledge. Low-code platforms do this with an intuitive graphical user interface. Well-known examples include Mendix and the Microsoft Power Platform.