Shadow IT: Pros & cons, how to detect, control & build a policy  

What is shadow IT?

Shadow IT happens when the IT department has yet to approve or acknowledge a technological system, devices or applications but employees continue using them.  

This tendency occurs more regularly than we think and has increased in recent years when cloud-based applications were popularized. While shadow IT can indeed improve employees’ productivity, it can also lead to security breaches, data leaks, and more. 

Examples of shadow IT

Let’s explain this challenging concept in real life.  

• Personal and third-party devices such as personal laptops, smartphones, hard drives, or storage devices that are right under an employee reach to use. For example, a worker might stick to their Mac laptop since they are accustomed to it, despite their employer issuing Windows as the official operating system.   
• Unauthorized communication tools: The IT department usually allows specific communication platforms to limit privacy risks. Yet, out of convenience, some teams might decide to break the rule. For example, a company’s official communication tool is Microsoft Teams, but some individuals discuss their work on Telegram instead.   
• User’s software choice: Like the unauthorized communication tools, users choosing different tools from what is approved also causes shadow IT. For example, a remote worker decided to opt for his personal machine since it can handle coding better than the company-issued laptop.   
• Personal emails for work purposes: Not using official corporate emails can cause serious security breaches.  
• File sharing through personal accounts: Personal accounts don’t have the same level of security compared to the official corporate version. Not using professional emails might lead to ransomware attacks and poor privacy practices. For example, a Marketing executives feed an AI tool their sales data to help her do a quick analysis and sale reports. 

How shadow IT happens

Why do employees still use shadow IT even when their companies already provide rich IT resources?

First, employees opt for shadow IT as a convenient way to solve their problems. The existing in-house IT resources might not provide them with the necessary solutions, so they go for their preferred tools to get their job done.  

Second, new solutions like Software-as-a-Service (SaaS) promote the use of shadow IT. With only a personal email, they can easily buy, log in, and access multiple unauthorized tools. The benefit of helping employees complete their jobs faster and improving productivity is too convincing.   

However, most of the time, employees do this unintentionally, simply because:  

• Employees are unaware of the risk when using shadow IT: It’s the IT department’s duty to train and guide employees about shadow IT; most employees are non-technical individuals, and you shouldn’t expect them to think of an IT-related matter.  
• The benefits of unsanctioned tools outweigh the privacy and security concerns: Keep in mind that employees aren’t mindful of company security. They only focus on personal and team performance. When a tool can give them that, they adopt it without much caring about shadow IT. 
• They use unauthorized tools to perform malicious acts: Not every use of shadow IT is bad, yet some individuals adopt unsanctioned tools to leak data and confidential information, posing risks to organizations.   

The underlying threats of shadow IT

Key takeaway

---

Using an unsanctioned shadow IT product might cause operation and security breaches, consequently creating more negative impacts on business performance and competitive advantages. 

---

1. Shadow IT in cyber security

Shadow IT generates a lack of visibility in IT management, increasing the risk of undetected vulnerabilities, policy violations, and misconfigurations.  

(1) Data stored in unauthorized IT software through personal accounts cannot be accessed by companies if a particular employee resigns. Even worse, this data type can be lost if not backed up or archived properly.   

(2) Unsanctioned IT software is not protected by the organizations’ cybersecurity solutions. With it’s introduced into the internal system, the system has more chance of being attacked or exploited through those entry points, making them the perfect backdoor for attackers.   

The possible cyber threats caused by shadow IT include:  

• Ransomware: this malware infiltrates a system and limits access to files and data. You have to pay them some charge to get your system back.   
• Botnet: this low-effort cyber threat aims at weak IoT devices. Hackers use Botner to steal credentials to company systems through workers’ personal devices.  
• DDoS: Distributed Denial of Service attacks a system by sending a collection of compromised connected devices with repetitive and frequent requests to overwhelm the Domain Name Server to the point it processes under the standard speed or stops operating.  
• DNS Tunneling: Attackers send malware or stolen information into DNS requests through a covert communication route (unsecured personal device) to bypass firewalls.   

2. Shadow IT in data management

In data management, shadow IT can trigger a loss in data control. This happens when employees adopt unapproved services and methods, simultaneously exposing sensitive data to inappropriate oversight.  

This risky act can result in severe consequences: 

• Said data can be compromised or stolen. Attackers exploit the weak spots of unsanctioned applications and tools, putting cyber-attacks and security breaches under the IT department’s nose. If these personal accounts get breached or stolen, the data will be unrecoverable.   
• Organizations can incidentally violate data compliance laws. Companies following data protection regulations are obliged to track and control data processing and sharing. Once employees use unauthorized tools to complete their work or access sensitive data, they are at risk of facing penalties.   
• Integrating shadow IT can be a sign of system inefficiency. When your workers constantly use external solutions during their job, it may be a sign that your company did not provide adequate resources.  

3. Shadow IT in financial management

Dealing with security breaches and the adverse effects of shadow IT can cost companies a leg and an arm. Instead of paying a slump dump to fix the aftermath, you should properly invest in IT resources to prevent those scenarios.   

Now imagine if every department had its tool stack. Your marketing team uses HubSpot for campaign automation and CRM. Meanwhile, the customer services team leverages Zendesk for its support in helpdesk and CRM. Now your company uses and pays for 2 different CRMs, and every customer data must be added twice. The management process is more prolonged, confusing and unnecessary. 

4. Long-term effect on business performance

Unlike data, security, and finance threats, these risks are long-term, unexpected, and more challenging to detect.  

All teams must work on the same tool or at least the same working ground. For example, you can use packaged software such as Dynamics 365 for HR, finance, or sales. Each team will have a specific sub-tool. Mismatched software can slow down cross-team collaboration, require more complex integration, waste precious time, and confuse employees.   

In the case of heavy external-app-relied projects, the work progress can get disrupted if an employee or manager quits the job. When they resign, they also take away the data in those external apps, which is possibly shared among other team members. The progress can be essentially slowed down since the rest of the team doesn’t have the data to work on.   

5. Watch out for the future: When shadow IT become shadow AI

With the growing use cases of generative AI, shadow IT no longer stops at the use of SaaS or cloud-based applications. Every employee can be a source of data exposure when engaging with these AI tools: 

1. They unintentionally feed the platform important data (because the more detailed the data is, the better answer AI can generate for you. This urges the questioner to give more input). Funny enough, this happens 3 times at a giant like Samsung, forcing them to ban the use of ChatGPT. 

2. You can keep track of and retrieve the data given to the AI. This means the data will be used under third-party ownership once it is out there. Plus, the input data can be used as an output for other answers. And how many chances will that output be an answer for your opponent? Yes, this case did happen when Amazon found their internal data in a ChatGPT response. 

Data breaches, malware attacks, and phishing attacks are just some of the many threats of Shadow AI. While AI proves to be a decent tool in daily tasks, businesses should have different methods to keep the data in check. The first thing you can do is to warn your employees. 

Flip side of the coin: Shadow IT is not always bad

On the other hand, shadow IT is not always the villain but the savior in many situations. It’s one way for employees to improve productivity. Other shadow IT benefits might include:  

• Save employees’ time: Employees can set up applications instantly to boost productivity instead of petitioning and waiting for IT implementation.   
• Increase employee satisfaction and retention: By giving employees the right to choose the tools they want, they will work more effectively and engagingly.  
• Reduce IT workload: Shadow IT can lessen the burden of a huge IT backlog. Instead of building every required application from scratch or analyzing all the OTS requests, the IT department can focus on more challenging projects and let other departments in charge of their software choices.   
• Encourage digital adoption: Being open to shadow IT lets your business freely discover new tools and alternatives. With this, you can attain higher innovation and engage your employees in digital transformation.   
• Better flexibility: Allowing your employees to use a platform to their taste will make your team more creative. At the end of the day, the result is what matters. If a certain tool helps them generate better performance, turning a blind eye is fine. 

Because of this, not all businesses are opposed to shadow IT. Leveraging it to the right degree can bring more benefit than harm. We have what is called pro-shadow IT, which we will discover soon. 

How to detect shadow IT

If you are a part of the IT department, it’s crucial to know what’s going on in your employees’ end-point devices for the sake of cybersecurity. Here are some ways to address shadow IT. 

1. Check your help desk requests (both approved and declined)

When the IT department refuses an application, the employee might go behind and continue using it, even if they are paying with their own money.  

The most neglectful part can be a great source of evidence. From this info, you can trace back and look for which departments that shadow IT is most likely to happen.  

At the same time, you can examine the purchase information and expense reports. This will help you know what your organization is paying for and how much has been spent on unauthorized applications.

2. Interview with your team

Using anonymous surveys or questionnaires, you can check: 

• What tools are they using?  
• What tools do they find helpful but aren’t approved by the IT department? 
• What tools do they find useless in the company tool stack? Do you have any suggestions to replace them? 

This is meant to get employees’ insight and be helpful, not becoming invasive and micro-managing.  

Keep in mind that questions should be as positive as possible. You are trying to know what your employees are using and why they use it, thus enabling you to establish appropriate policies and solutions.   

3. Perform risk assessments

Performing risk assessments on all applications allows you to determine their compatibility with the company’s standards. Assessing them from the start also allows the IT department to detect any possible security breach that it might cause.   

There are three key criteria for assessment:  

• Data security risks analyzes security certifications and technical measures for using and sharing data and sensitive information 
• Regulatory compliance assessment analyzes data storing location, access rights, and vendor compliance certifications 
• Business risks assess the ability to be future-proof and value-generating long-term.     

4. Using automation tool to find shadow IT

This method is more time-efficient and accurate than manual discovery and is suitable for medium and big corporations.   

You can use automated SaaS management, Software Asset Management (SAM) platforms, or employee surveys to find apps in your software portfolio with info such as current users, license numbers, purchase types, etc. These characteristics are criteria to determine and establish accountability of applications, deciding which apps stay or be removed.  

If your firm opts to eliminate shadow IT, here are some useful tools to check out.  

• AssetSonar: real-time license tracking of unlicensed software on the company’s network;  
• BetterCloud: automatically removes unsanctioned or redundant applications while providing an automated workflow for user onboarding, offboarding, and other admin tasks; 
• ManageEngine: The application portfolio management tool provides visibility into private, public, and hybrid resources; detect problems, keeps tracks of available resources and their performance;   
• Zluri: the SaaS management platform eliminates shadow IT with over 225,000 directly integrated SaaS apps specialized in five discovery methods to find SaaS accurately within the organization. 

Tips to navigate it

There are two types of response for shadow IT: 

• Pro-shadow IT: (1) You don’t mind if shadow IT lurks around. They can use any tool necessary for their productivity and performance. Or (2) Your company doesn’t offer work laptops and devices, so every employee must bring their own. Therefore, you have to compromise with some shadow IT. 
• Anti-shadow IT: You want to protect your data entirely and minimize shadow IT as much as possible. 

No matter what you choose, it’s important to see certain regulations to protect your company and quickly react when inconvenience arises.  

What to do if you are not open for shadow IT

If you have set your mind on eliminating shadow IT, make sure there will be strict regulation on the subject. A defined anti-shadow IT policy will: 

• Restrict any alternative solutions unless approved 
• Allow IT department to make necessary technology controls to limit access of external app 
• Emphasize the consequences of using shadow IT by implementing disciplinary processes and financial penalties.  

So, what anti-shadow IT technology solutions can you adopt into your organization? 

IT configuration management software

This type of software automatically finds and flags any unsanctioned software or hardware. At the same time, it can also find jailbroken versions of enterprise software or operating systems installed in organizational devices. 

Cloud access security brokers (CASBs)

This broker manages the lifecycle of the internal SaaS solution, which includes purchase, licensing, and usage. CASB also has built-in capabilities to enforce limitations on unauthorized activities and prevent data loss. You can monitor who is doing what and implement safeguards for every cloud activity. 

Next-generation firewalls (NGFWs)

Compared to regular firewalls, NGFW is much more decent. It monitors workers’ application usage in real-time while identifying protocols, ports, and IP addresses like usual firewalls. IT staff can see user patterns and produce the necessary reports to manage and enhance performance.   

Network access control (NAC)

The NAC prevents unapproved individuals from connecting to a corporate or private network. The protocol ensures that only authenticated users and permitted devices compatible with security regulations may access the system.   

Jailbreak device prohibitions

A jailbreak device means it has all previously imposed restrictions removed. If a company device is jailbroken, the company data is at risk of being affected by malware that can harm system files. Jailbreaking also allows hackers to steal files and data from a user. Therefore, companies should be strict on the not-jailbreak rule and implement strict discipline to prevent the worst scenario.    

Create an internal app store

If your employees don’t know what apps they should or should not use, create an internal app store with apps that the IT department approves. The app store helps clear up confusion and prevent shadow IT effectively. 

Implement buying and renewal process

A buying and renewal process relating to buying SaaS apps can avoid recurring shadow IT cycles within the company. Some of the best practices are:  

• Implement assessment of whether a new tool fits the organization, create a software request template with business cases so the IT department can understand the drives of demands;  
• Set up timely alerts for renewal;  
• When creating your process, make sure the final transaction is only made after the IT approval. 

Entirely cut third-party app and opt for custom development

Another idea is to build your application from scratch with your set of regulations and compliance. With this, you don’t have to worry about third-party, vendor lock-in, or shadow IT.  

However, this process is costly and complicated. You should leave it to professionals by hiring an in-house team or working with a development house like Synodus.   

With 5+ years in software development and diverse expertise in AI, blockchain, IoT, low-code, and many more, we have helped businesses build more than 100 products and internal apps.   

Having a sidekick will help you optimize the development process, keep your budget under control, and get support from reliable developers (while limiting all your shadow IT, of course!) 

What to do if shadow IT is okay within your business

If you are okay with incorporating shadow IT into the system, here are some technologies and solutions you should bear in mind. 

Bring your own device mobile device management (BYOD MDM) 

The solution creates a work container within employee’s personal devices that separates workplace apps and data. When that employee resigns or exits the organization, the data will be remotely wiped, securing data safety.   

Employees can freely communicate and use their alternate solutions. But they need to inform the IT department so that IT can arrange controls to protect company data within it.  

Enterprise sandbox environments

This type of environment allows users and IT staff to test out shadow IT. While testing, the environment performs in a manner that limits exposure to negative impacts like intrusions or data loss.   

Virtual desktop environments

Virtual desktop environments are independent of the user device and incapable of transferring any data to user’s device.  

Proper encouragement and reward

In a pro-shadow IT workplace, it is necessary to encourage teams to research, test, and implement alternate solutions. These newly found solutions can bring great business value in terms of revenue growth, costs, customer satisfaction, and operational excellence. Such an effort to find solutions should be rewarded, therefore creating the right culture within the company. 

Steps to build your shadow IT policy

Whether you go for pro or anti-shadow IT solutions, you still need a shadow IT policy. Here are the steps to help you build one.  

Step 1: Define the purpose and scope 

The policy should clearly explain the goal of managing and controlling shadow IT services and how stringent companies will act toward shadow IT.   

Different individuals and departments shall have different comfort levels with danger. No matter what a corporation chooses, the policy must be generally adopted. To do that, all departments must agree on the levels of risks and reach a compromise. 

Step 2: Identify the main involved parties

Anyone can cause shadow IT, but not everyone can impose regulations and manage them to prevent cybersecurity threats. This shouldn’t be the job of only the IT department but across the organization, especially: 

• The legal team and IT team build a policy and security governance that meets the laws. 
• The IT team, finance department, and managers from all departments create a workflow for the application approval process. 
• HR team encourages anti-shadow IT or pro-shadow IT to every employee.  
• IT and HR teams train employees in shadow IT. 

Remember to ensure team members know their roles by organizing training and awareness programs and communicating the policy.   

Step 3: Define IT support access

Much like the HR department, IT should have an open space to take in every request and question, giving employees non-judgmental support and detailed guidance. Most of the time, HR and IT support are the first touchpoint for newly onboarded employees; notify them that you are always willing to help. 

Make sure colleagues can access information or have a section to go to if they have questions regarding shadow IT. The IT department can write a knowledge-based article and incorporate it into the help desk.   

Step 4: Define unauthorized assets and technologies

It should be clear among all colleagues what is and is not acceptable when installing new IT software and hardware. The guideline shall provide information on how data and information should be handled, stored, and transmitted in nonstandard IT services.   

Step 5: Prepare a provision for BYOD

If your organization supports BYOD, there should be guidelines and policies for using personal devices at the workplace and in work-related tasks. The policy should specify security measures, acceptable use, and data protection requirements for personal devices.   

Step 6: Set up IT monitoring and control measures

Specify how the organization will monitor network activity and usage to detect unauthorized software and hardware.  

If you suspect certain devices installing and using unauthorized software, you can lock down the devices to restrict them from doing further.  

Step 7: Conduct regular audits and assessment 

These audits and assessments are meant to identify and address shadow IT instances, including checking for unauthorized installations, cloud usage, or unapproved devices. 

Wrapping up

When someone intentionally or unintentionally uses software or hardware without authorization by the IT department, it’s called shadow IT. Depending on the app used, shadow IT can be good or bad. Because of that, some businesses are still open to a certain level of shadow IT to encourage digital transformation and improve performance. Based on what you choose, remember to set up a policy and method to detect the threat from shadow IT. 

More related posts from Software Development blog you shouldn’t skip:

• How To Choose The Right Software Development Company: Tips & Steps
• IT Outsourcing Models: Comparing How Each Impact Outcomes
• 10 Emerging Regional Custom Software Development Companies (Updated 2024)