What is Shadow IT? Definition, Risks, and Examples

Although for years Shadow IT has been viewed as a security and compliance risk, many organizations are now seeing its benefits. With organizations spending 40% of IT funding on cloud-based technology, many IT leaders have found themselves asking: Is there a way to maintain security while increasing flexibility? Instituting an effective shadow IT policy can help put IT and your business at ease. Doing so, however, involves understanding its definition, risks, and benefits.

Shadow IT refers to information technology programs, projects, or systems implemented outside of the IT or infosec departments. Employees have more best-of-breed SaaS applications that help them do their jobs than ever before — and with the consumerization of IT, employees will not hesitate to simply acquire the tools that they think will help them do their jobs. These tools might be harmless and even helpful, but security risks could be lurking in the background. As a result, information security is becoming a huge priority, especially at companies that house or service sensitive data.

The explosion of SaaS applications over the last several years has perpetuated the habit of shadow IT. Cloud-based infrastructure has made it trivially easy for powerful applications to be built and distributed.  Some of these SaaS applications are free, making them even more accessible and appealing.

The three biggest security risks of shadow IT

While no one wants to stop employees from using the best tools of the trade to do their jobs, shadow IT can be detrimental to the security of an organization. Shadow IT can present multiple risks:

1. File sharing

File sharing is a common shadow IT practice that makes companies vulnerable in several ways. File sharing opens the door to data exfiltration. This can be harmful if malware makes an unauthorized data transfer. Sensitive company data could be destroyed, sold, or leaked. Even in benign circumstances, file links could accidentally be shared over social media.

File sharing tools also enable users to override normal attachment limits. Vindictive users could download and store massive amounts of company data. Even good-natured users could email these links, not realizing that the data is significantly exposed in that process.

2. Software integration

Many IT divisions have integrations between different systems. Data breaches could occur if any piece of that integration is compromised due to shadow IT. This compromise becomes even more high-risk if users do not perform necessary software updates. In fact, employees may not even know how to perform such an update on their tools.

When IT upgrades an integrated system, an unknown app could become an attacker’s access point to the company’s entire database. This kind of breach could lead to anything from substantial downtime to even CIO jail time.

3. Enterprise application deployments

As more cloud products emerge, IT places a stronger emphasis on change and release management to keep up with the changing software ecosystem. Deployments for enterprise-wide applications are tightly monitored. Testing occurs before and after releases to safeguard the company from significant disruption.

Unauthorized software is not subject to this rigorous process. Upgrades and releases for products the IT department is oblivious to could be destructive to existing processes.

Benefits of shadow IT

Nevertheless, shadow IT is certainly not all bad. Employees managing their own applications or projects outside of IT are likely motivated by a desire to improve productivity. Enterprise-class SaaS applications are prevalent, many are benign or secure, and most can be very useful.

  • Improving employee satisfaction and retention: Empowering the end user to choose what tools they want to use makes them more effective and engaged. Allowing employees to give their input on new software also increases adoption. In this way, shadow IT can assist in preserving top talent.
  • Reducing IT workload: Shadow IT reduces information technology workload. Most IT departments are already swamped with help desk tickets. Shadow IT can alleviate some of that burden, allowing the IT department to work on more challenging projects that deliver greater business value. Since shadow IT is already ubiquitous, companies are attempting to capitalize on its benefits.
  • Saving employees' time: Rather than going through the motions or petitioning for a new tool and waiting for the IT implementation, an employee can set up an application on his or her own to begin saving time and/or improving productivity instantly.

How to manage shadow IT: 3 strategies

All organizations deal with shadow IT in a way that best suits their structure and company culture. Shadow IT policies can range from loose guidelines to extreme lockdown.

Tighten security

Some companies completely shut down access to particular applications through the corporate firewall or software audits.

There are several applications on the market that can help IT departments expose and stop shadow IT. These tools monitor the use of cloud services across an enterprise, providing IT departments with the name of cloud services that employees are using and reporting on potential security risks. Some tools can even suppress shadow IT.

IT can leverage software to tighten security and give the company some piece of mind. On the other hand, cracking down on employees can drive them to find apps that are not caught by detection tools, further endangering the company.

Practice leniency

When users choose the applications they want, they are more invested in IT and in their jobs. Using tools they are familiar with makes them more productive, efficient, and happy at work. A lenient shadow IT policy also lets the IT department concentrate on other tasks.

None of which addresses the potential security risks of shadow IT use. A company with a relaxed stance on shadow IT may bolster security in other ways—with better data encryption and more limited access to sensitive data, for example.

These companies may also publish policies and guidelines to help employees use their tools securely. Employees may download and use their own software, for example, but they must not use them to share or store customer data, use the same company password, etc.

Consider Compromise

Many colleges and universities build or expand facilities with very limited sidewalks. They then wait and observe where natural paths start to get worn into the grass from students walking around campus. These are called, “desire paths,” and sometimes become paved sidewalks.

Many companies take a similar approach to shadow IT.

  1. Create a simple submission process for employees. Employees can either request a specific functionality or answer security questions and make a case for a tool they have been using. This process gives employees a voice and helps IT make a quicker decision about the viability of a tool.
  2. Publish a list of IT-vetted tools each year. Employees still have a choice as to which software they want to use, but will be confined to tools that already meet IT’s security criteria.

3 steps to creating a shadow IT policy

Creating a shadow IT policy enables businesses to run more efficiently, mitigate risk, and lower costs. There are three key steps to forming a shadow IT policy.

1. Agree on a level of risk

The first step in drafting a functional shadow IT policy is to determine how strict the organization will be about shadow IT. Everyone has a different level of comfort with risk. No matter what a company chooses, the policy eventually needs to be universally accepted.

To do that, IT and business stakeholders must meet to talk about risks and benefits, and strike a compromise. Is the company leaning towards a more authoritarian or lenient stance? Accommodating the needs of multiple departments is necessary to crafting a well-adopted policy.

2. Establish an IT procurement process

Developing the process behind proposing and accepting shadow IT systems or projects is also a joint effort.

If shadow IT is admissible, part of the process could be encouraging business users to build a case for why new technology is vital for employees to succeed in their role, and why existing IT products do not fulfill their needs. Once a new technology is approved, IT could work with the business to settle on appropriate levels of access, service level agreements, and maintenance expectations.

If shadow IT is not acceptable for the company as a whole, the IT department must design a process for business users to request a new system or service from their department. Whatever the company decides, the IT Procurement Process should be clearly stated and circulated throughout the business.

3. Educate users

Employees must feel heard and understood if any shadow IT policy is going to be embraced. Opening up the dialogue between IT and the business allows both parties to learn from each other.

It might be difficult for employees to realize how much risk they introduce with shadow IT. When instituting the shadow IT policy, IT can have a chance to explain why certain technologies might be difficult to integrate with current enterprise systems or keep secure. Giving the workforce practical examples of what is on and off-limits is crucial to policy adoption.

Tools for managing shadow IT

Shadow IT can jeopardize a company’s security, if we let it. However, there are myriad ways to safeguard company data while giving people access to tools that boost their productivity and morale.

Balancing risks and benefits is key to developing a sustainable shadow IT policy. Leveraging shadow IT to uncover new processes and tools that could allow all employees to excel in their roles is just smart business practice. Cloud-based tools with the capability of integrating with multiple systems offer modern companies a solution that can appease both IT and the business.

The issues raised by shadow IT can be greatly mitigated by automated data quality features, ensuring clean, accurate data before it enters your systems, and data governance features, which ensure that good quality data is available to all who need it via self-service access.

Talend Data Fabric is a cloud-native, unified suite of apps with the capability of providing self-service access to the right data to make great business decisions in real time. Talend Data Fabric has  900+ components to make integrations easy and can manage trusted data across any kind of environment. It is versatile enough to assist in data preparation, data management, and cloud integration. Try it today with a free tiral.

Ready to get started with Talend?