What is shadow IT: Risks and prevention

While most business leaders recognize the importance of strong IT teams and proper cybersecurity processes and policies, there are often hidden risks to look out for. Shadow IT has been around since the rise of personal smart devices and the internet, but has evolved to become an even bigger threat lurking behind corners that you might never have thought of.  

What is shadow IT?

Shadow IT refers to the use of unauthorized technology at a company or organization, usually without the knowledge of the IT department. In practice, that might mean downloading a chat app or text editor that isn’t part of the software managed by IT, trying out the newest AI tool without IT testing it first, or using a personal phone instead of a company-owned phone, or one overseen by IT through a mobile device management tool. 

But today, especially with the rapid expansion of remote and hybrid work, the problem is more pressing and complicated than ever. According to a 2023 report, 59% of IT professionals said they struggle to manage SaaS applications. Respondents also stated that 65% of all SaaS apps aren’t approved by IT.  

Seventy-nine percent of IT professionals believe that using shadow IT puts company data at risk. Shadow IT is commonly seen in the use of email and messaging services, but it also extends to other tools such as video conferencing, file storage services, collaboration tools, file transfer services, and more.  

The top risks of shadow IT to look out for

Employees who engage in the use of shadow IT almost never do so with nefarious intent. For many, the reason they implement these unauthorized tools comes from a desire to improve efficiency or to help do their job more effectively.  

It makes sense that employees would want to use whatever tools they need without thinking about the downsides. However, this kind of unapproved software and hardware use can come with a number of risks that are important to understand so they don’t impact your company and your bottom line: 

Data and security 

• Lack of protection for and unsecured access to confidential company or customer data
• Violation of IT’s data protection policies
• Increased cybersecurity risks related to the rise of remote work environments with lack of in-person IT support or VPN complications
• Possible legal or regulatory issues due to lack of compliance with company systems and policies
• Lack of transparency across teams, between employees and the IT department, and behind how data is gathered and stored, making it more difficult to find the source of a leak or attack should security be breached 

IT resources

• Increased IT and technology management complexity, requiring IT teams to expand their breadth of knowledge and solve for additional problems that arise when different software isn’t compatible
• Greater likelihood of complications between non-compatible hardware or software 
• Additional IT money and resources needed to manage issues that arise (30-40% of enterprise IT spending is related to shadow IT, according to Gartner) 
• Decreased ability to retrieve backup data or other important business information, or to pass on institutional knowledge to new hires 

Time and productivity pain points

• Complications with scaling up teams or divisions using unapproved technology systems, as newer team members might not have access to the same tools
• Decreased productivity due to lack of integration with designated systems and software
• File management and archiving issues
• Data and information silos created across company, contributing to loss of insights into business operations and effectiveness
• Time and resources wasted on trying to reintegrate systems, monitor usage, or fix systems and customer relationships that have been compromised 

Best ways to prevent shadow IT

It’s very easy to join the slippery slope of shadow IT, but the best way to prevent larger issues down the line is by increasing awareness and fostering a culture that discourages shadow IT. That can come from any of the following: 

• Implementing shadow IT knowledge into existing IT training so that all employees understand the implications of using personal devices or non-enterprise approved software
• Creating an open and collaborative environment with employees to understand where pain points are, and to find situations when they might be tempted to use shadow IT
• Allow for ongoing feedback around existing software and hardware solutions so that employees are using the solutions implemented by IT, and IT is aware of solutions that aren’t being used or are wasted cost and energy
• Thorough research and implementation plan of IT stack and user-friendly IT to create a streamlined, but still safe, IT experience at the organization
• Constant reevaluation and periodic investment and expansion of technology solutions at the organization to ensure teams are getting what they need to effectively do their jobs
• Ongoing digital change management to ensure new IT is implemented thoughtfully, avoiding rushed or reactive decisions around new technology

Jeremy Rafuse, Vice President and Head of IT and Digital Workplace at GoTo, says that employees are the key to preventing the worst risks from shadow IT.

“Just talk to your employees,” says Rafuse. “It’s important to explain why shadow IT could be harmful. There’s a good chance that many employees may not even know the damage seemingly innocent actions like downloading apps or using their own devices could do to the business. It’s important to educate your users across all levels of the organization. Regular training and explaining the risks so that the company fully understands what is at stake when it comes to shadow IT will be your number one defense.”

Looking ahead

Shadow IT can be a serious risk to your employees, teams, and organization on a number of fronts. It’s easy for each individual decision to have an outsized (and potentially negative) impact on your broader business goals. So, it’s important to increase awareness about the risks of shadow IT and foster an environment that proactively discourages those activities, while still aiming to serve the productivity, efficiency, and creativity needs of your teams.

At the same time, we live in a complex, digitized society, and it is unlikely that any company will be able to totally eliminate all shadow IT. The key is making sure employees are aware of the risks, educating them on best practices, and trying to minimize complexity, so that both employees and the organization can function efficiently.

In addition, these interactions can be a two-way street, with IT departments getting feedback from the rest of the organization on the tools they want and need to do their best work. This helps employees get what they need, and helps IT teams avoid implementing tools which will not be widely used.

“It’s about making sure you are always adapting and communicating. If you don't have a policy or procedure in place for procuring software or services, consider implementing one. And if it is there, make sure employees know where it is, how to follow it, and how to reach out to procurement if they need something.” explains Rafuse.