What is shadow IT?
Maybe you've saved or shared work files on a personal dropbox folder, or used Zoom for team meetings when your company's designated communication platform is Microsoft Teams. Maybe you downloaded a program or tool to your desktop without going through IT first. You might not know it, but these are all forms of shadow IT.
Shadow IT applies to any digital asset used on a company network without the IT department's knowledge or approval. Any software or hardware being utilized that isn't first screened and sanctioned by IT falls into the murkiness of shadow IT, and it's more prevalent than you might think. A recent CORE research report found that shadow IT usage has exploded by 59% since organizations widely embraced the remote work model.1 The most common culprits of shadow IT tend to be productivity apps, cloud storage, file sharing and document editing apps, as well as communication and messaging apps.
The causes of shadow IT are usually harmless. Teams want to adopt new tools that will help streamline their workflows, but often feel the approval processes from IT can be too slow and cumbersome. Employees use personal apps on workstation computers because they find them helpful. And some individuals feel they can work more efficiently or effectively using their personal devices and preferred software, instead of the company's sanctioned IT resources.2 While these actions outside of IT's purview are without malicious intent, there are residual consequences of shadow IT that can't be ignored.
Shadow IT and the connection to technical debt
Shadow IT and technical debt are similar in that they both accumulate over time, as the result of decisions carried out by teams and individuals. They can exist concurrently in some situations, like when new tools are adopted but legacy systems aren't decommissioned. Another example would be when a new platform is developed, or updates to software roll out, but an older version remains active to support customers who didn't upgrade or move to the new platform. The costs associated with continuing to run these legacy systems, or maintaining old versions of software, can add up and have a compounding effect on already inefficient business processes.
The potential costs of shadow IT
While not all shadow IT activity causes problems, there is significant potential for problems to arise because of it.
Some of those potential risks include:
- Staffing issues: Organizations might find they need to dedicate time and resources to dealing with the users of shadow IT, even going so far as to pursue IT operational litigation or legal ramifications if an employee's use of shadow IT caused a security breach.
- Operational issues: Additional technology or resources might be needed to identify shadow IT and mitigate the affected systems. Reestablishing process efficiency can also be a hurdle if shadow IT is impacting productivity and IT operations.
- Compliance issues: Organizations that must comply with specific regulations, like the Health Insurance Portability and Accountability Act (HIPAA) or the General Data Protection Regulation (GDPR) could face financial penalties if shadow IT usage caused noncompliance. There's also the possibility that this could increase business insurance premiums or lead an insurance company to deny coverage for a claim that occurred because of shadow IT usage.
"Shadow IT definitively has cybersecurity implications. An IT team cannot monitor software or hardware that they aren't aware of, and therein lies the problem."
Shadow IT poses cybersecurity risks
Shadow IT definitively has cybersecurity implications. An IT team cannot monitor software or hardware that they aren't aware of, and therein lies the problem. Bring your own device (BYOD) policies allow employees to use their own computers or mobile devices on corporate networks, and are intended to facilitate more efficient work. But, even with a formal BYOD program in place, IT teams often lack visibility into the software and services employees use on BYOD hardware, and it can be difficult to enforce IT security policies on employees' personal devices.3
Shadow IT is often where security weaknesses in the wider network make themselves most obvious.4 In a phishing scenario, a cybercriminal launches an attack against a staff member to gain access to their workstation, usually through an email platform. Once they've gotten a foothold in one employee's system, they'll attempt to advance laterally across the wider IT infrastructure and company network, gaining privileges that allow them more and more access.
One of the ways they can gain these privileges is by compromising centralized authentication environments, like an active directory network. An active directory network is essentially a database comprised of all the access points that connect network users with the resources they need to perform their individual jobs. Once the active directory is hacked, any of the systems or applications that rely on that directory as an authentication mechanism are vulnerable too. Shadow IT web applications and database services are common areas for these cyber attackers to exploit. While systems managed by IT are also points of entry for attackers, any systems that are invisible to IT, and thus not managed by company-standard threat detection and response, are even more vulnerable.
This adds another layer of complexity to security operations, because in situations where shadow IT has caused a security breach, it's also likely correlated to increased technical debt. Consider a cyberattack scenario where third-party tools, like social promotion platforms or a CRM, were the hacker's access point to a network. These vendors are often not forthcoming about high-complexity integration features, API nuances, and security factors that could create vulnerabilities for their customers. If they were to experience a data breach, all their customers could potentially be impacted, and by extension, all of their customer's networks and data. A security incident like this is not only expensive to mitigate, but the cost associated with migrating from one solution to another, or adding more security measures can directly translate to the accumulation of technical debt.
IT asset management can help organizations deal with shadow IT and technical debt
IT teams are responsible for communicating system updates and the decommissioning of certain tools, as well as routine maintenance to all the end users of a network. In many cases they are also responsible for ensuring that data retention/destruction standards are constantly being met by the organization. Whether or not users adhere to the update schedule or continue using an unauthorized version of a tool that's been decommissioned are details that can easily slip through the cracks. This highlights the importance of IT asset management (ITAM), as it allows for greater visibility into areas where shadow IT and technical debt might be accumulating.
ITAM can play a crucial role in reducing shadow IT within organizations. By implementing robust asset management practices, companies can accurately track and monitor all authorized software and hardware assets, making it harder for employees to introduce unauthorized or unapproved technology into the network without IT’s knowledge. With a comprehensive ITAM system in place, organizations can enforce strict policies and procedures for procurement, deployment, and usage of IT resources, minimizing the risk of shadow IT and the accumulation of technical debt.
Additionally, by proactively managing IT assets, companies can identify gaps in their technology stack, address employee needs, and provide suitable alternatives or solutions, further reducing the motivation for individuals to seek unauthorized technology outside the sanctioned IT infrastructure. IT asset management empowers organizations to maintain a secure and compliant IT environment while ensuring the needs of their workforce are met effectively and quickly.
- "Growing cost of shadow IT." theNET by Cloudflare. https://www.cloudflare.com/learning/insights-shadow-it/. ↩
- "What is shadow IT?" IBM. https://www.ibm.com/topics/shadow-it. ↩
- "What is shadow IT?" IBM. ↩
- Moore, Gemma. "Shadow IT and Technical Debt: The Adversary's Allies." Cyberis. July 23, 2021. Accessed June 8, 2023. https://www.cyberis.com/article/shadow-it-and-technical-debt-adversarys-allies. ↩