You may have heard the phrase ‘shadow IT’ before. Just the phrase sound suspicious – and it is something that can put your business at significant risk.

However, unlike many forms of cyber attack, it doesn’t refer to the activity of criminals. Instead, it’s something that your very own employees could be doing.

In this blog, we explain what shadow IT is and why it puts your business at risk. More crucially, we’ll also dive into how to tackle it before the worst happens.

What is shadow IT?

In simple terms, shadow IT refers to technology solutions being used by employees that bypass controls or limitations within the managed IT estate. Typically, this means apps, tools and websites that are not approved by the company or that go against policy.

But it’s not just unapproved applications. It could be any form of IT that’s being used by employees without the knowledge of the IT team.

Users often turn to shadow IT activity because they can’t get what they need from the applications authorised within the business. In some cases, the controls placed on IT may limit them.

Shadow IT isn’t typically a malicious activity.  More likely, it’s borne out of frustration with limitations hindering productivity. People may not understand the security implications associated, which makes it particularly difficult to tackle.

However, it does leave your business vulnerable, especially if the wrong tools and apps are used.

What are the risks of Shadow IT?

Security risks

A lot of the time, controls exist to protect users and company data. Blocking sharing of data, access to certain types of website or preventing the use of specific applications are important to prevent malware or ransomware infections. They also prevent people doing things by accident and  maintain the visibility of data within your business.

As soon as uncontrolled applications come into the mix, everything put in place to comply with security policies or maintain compliance becomes ineffective.

Hidden IT costs

Often, users will be paying subscription or usage fees for the shadow IT systems they may be using. It’s coming out of a budget somewhere, but not necessarily allocated to IT.

This raises challenges with understanding the return on investment with solutions your business has paid for. If users are bypassing such systems, the implementation and running costs are being wasted as it’s hard to assign value to the right places.

It can also lead to duplicate subscriptions if people do not know which tools are already being used, as well as bloat across your business as more and more tools are incorporated.

Blocking progress

No digital transformation strategy will work if users seek out and implement tools that enable them to maintain old, inefficient ways of working. If your staff are using these tools to bypass processes you’ve set, it makes it extremely difficult to get the results you seek.

Encouraging adoption of new solutions through effective training is vital to ensure the success of such strategies without losing the support of the user base.

Why is shadow IT on the rise?

With the changes in working practices that have come about during the last few years, specifically following the coronavirus pandemic, users working remotely have been faced with more challenges than ever before. The effect of that has been a sharp increase in the use of shadow IT. Check out some of the statistics:

• 59% increase in shadow IT use since the beginning of the COVID-19 pandemic
• 35% of employees admit they have had to work around security policies to get their work done
• 67% of teams have introduced their own collaboration tools
• 83% of IT professionals reported that users have been known to store company data in unapproved cloud services
• 1 in 5 organisations have suffered a cyber-attack as a direct result of shadow IT use

With teams now working remotely, it’s also harder to keep tabs on what IT devices and tools they are using.

The rise of AI is also fuelling the fire of shadow IT. There are now countless AI tools available, giving your employees even more apps to choose from. Not all of them will be safe.

Many organisations do not have a specific AI policy, which often leads to staff using tools in secret. However, some of these tools don’t protect commercial data accurately, leaving you vulnerable to data breaches.

Due to the rise of shadow IT, it’s crucial to take action now to protect your business.

How to avoid shadow IT

There are a few steps you should take to minimise the risk of shadow IT.

The most crucial is having a good grasp of the tools across your organisation. If you provide people with the solutions, they need, they won’t be tempted to go elsewhere. So, spend time understanding what apps are required and any obstacles that users face.

Similarly, regularly seek feedback across your IT infrastructure and tools to uncover any frustrations, such as those posed by controls.

Once you better understand your user needs, it’ll be easier to seek secure tools that comply with business policy and address staff requirements. Common examples of tools you might utilise include:

• Messaging apps, like WhatsApp or Snapchat
• Cloud storage such as Dropbox, Google Drive and personal Microsoft OneDrive accounts
• Personal communication apps, likeTeams, Skype, other VOIP platforms
• Productivity tools, like Slack or Trello

Once you have built your stack of tools, make it very clear what is authorised and why they should be used. You should also make your employees aware of the risk of using non-approved tools or bypassing controls, so they understand the consequences explicitly. Remember to also document this as part of your business policy.

Combat shadow IT with the right approach

Shadow IT isn’t just an IT visibility issue — it’s a trust issue.