What Is Shadow IT, and Why Is It an Issue?

What Is Shadow IT, and Why Is It an Issue?


An old-time radio show used to start with the promise “The Shadow knows!” Yet when it comes to shadow IT, the problem is the exact opposite. Shadow IT is the stuff employees download onto a business system that IT doesn’t know about, and it can be a big problem.

You may have an IT policy telling employees not to download unsanctioned applications, but they want to boost their productivity, or perhaps they prefer to work with an app they already know and love. So, they get a tool or service that meets their needs without telling IT.

The employee may have the best of intentions. They want to work better for your business. They don’t see the harm in adding that convenient app to their computer. Or they don’t think it’s a big deal to use their own device to complete their work (even if unsanctioned). Maybe they want to be efficient, so they use a personal email account to conduct your business.

All of these are examples of Shadow IT, and it’s running rampant. According to a McAfee study, 80% of employees admitted they had used non-approved software. Even 83% of IT workers were using non-vetted Software-as-a-Service (SaaS) applications. So, what’s the big deal?

The Potential Pitfalls with Shadow IT

First, if your business is in a regulated industry, Shadow IT could put you at risk of noncompliance. That unsanctioned device may not be encrypted. Additionally, sharing business data over a personal email would be a big no-no in a healthcare or banking space. Shadow IT certainly undermines audit accountability.

It can also drive up IT costs. Say accounting doesn’t know that the business has already paid to use certain software. So, they pay for it again out of their own budget.

If IT is unaware of the Shadow applications or devices, they can’t manage the vulnerabilities. The business doesn’t know customer data or personal identification information about employees is at risk.

Due to Shadow IT, there is greater threat of a data breach or ransomware attack. Employees downloading a third-party app could inadvertently give a hacker access to your network.

Additionally, the business risks losing productivity. The work someone does on a shadow app, for example, could be lost to the company if that employee moves on. IT wouldn’t have access to that account to retrieve the information or files. They don’t even know it is out there on that unknown app or device.

Shine a Light on Shadow IT

Because this IT lingers in the shadows, it can be challenging to prevent. Still, there are several steps you can take:

1. Educate employees about cyber policies.

Create and communicate acceptable use guidelines, and make sure your workers know what your policies are regarding:

  • SaaS downloads
  • Use of personal devices (e.g. mobile phones, laptops, USB flash drives, portable data storage devices)
  • Emailing from personal accounts or using messaging apps
  • Online document sharing
  • Online voice or meeting technology

Ultimately, establish clear information classifications distinguishing between public, private, and confidential data. This can help employees recognize they are putting important data at risk when they disregard use policies.

2. Do a dive to discover Shadow IT.

IT needs to know what technology is in use at the business (both on- and off-site). While this is more challenging now with people working from home due to COVID-19, a survey of employees and their devices can help gather information about unknowns.

3. Determine the value of IT discovered.

Don’t overreact. You don’t want to necessarily ban all Shadow IT that you discover; some of the services could have value. Vet the applications or devices found or reported. Review their connection to private or confidential data or essential network systems. If several employees use an unsanctioned app, you may want to invest in it. With a professional version, your IT team can safely manage the app.

4. Deliver the IT your people need.

Why are people circumventing your IT policies? Are they under pressure or looking to meet an unmet need? Are they are more comfortable with a familiar app or device? It’s important to understand what the employee is aiming to accomplish or why they’ve turned to shadow IT. This can help you identify IT needs and areas where you need to improve.

Overall, Shadow IT can be unsafe and unpredictable. Our IT expects can properly vet any software and hardware to ensure your business’s valuable data is kept safe. Contact us today!

STG IT Consulting Group would love to show you all we can offer as your Managed Service Provider.
Click here to schedule a free 15-minute meeting with Stan Kats, Client Engagement Specialist and Senior Technologist.

We proudly serve Greater Los Angeles and surrounding areas for all of your IT needs. We look forward to meeting with you!

STG IT Consulting Group's Logo