What is shadow IT?

Man holding mobile phone over laptop with double exposure city overlay

It's not abnormal for many of us to seek out the Wi-Fi network when entering a building, or a new place of work. For businesses, this can mean that the majority of their employees will have signed into corporate networks using mobile phones, tablets, and increasingly devices like smartwatches.


BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures


Research has suggested more than three-quarters of all organisations have more than a thousand business devices, including laptops and tablets supplied by the company, typically connected to the business network. It's difficult enough to manage the sheer number of endpoints without then taking into account the wider picture. Approximately a third of companies, 35%, in the UK, US and Germany responded suggesting that more than 5,000 non-business devices are connected to a corporate network each day, with 40% used for non-work-related tasks ranging from logging into social media platforms to downloading films and games.

Devices such as these, which haven't been organised by network and security teams, are part of a burgeoning issue for IT teams and are commonly referred to as shadow IT, or even stealth IT and rogue IT. The growth in cloud services has made the problem worse, and it's become more and more difficult for IT teams to understand exactly where business data is stored and which employees control what.

This isn't just about individuals hooking up their phones to corporate Wi-Fi networks, however. Shadow IT also comprises unofficial flows of data, including data that's exfiltrated from corporate networks on USB drives, or software that's installed without the support or knowledge of the IT department. This may even include software like an instant messaging tool that may make business communications easier.

Why is shadow IT a problem?

Aside from the issues around how employees in a company are spending their time, the bigger problem is that non-business devices often aren't installed with the security functions and standards of devices supplied or managed by an organisation.

Similarly, software and applications that haven't been authorised by IT may end up unwittingly presenting a security threat.

Even harmless apps on personal devices can carry hidden threats. In 2017, McAfee researchers identified 144 apps on the Google Play store that contained a malware strain called Grabos, which was disguised as seemingly harmless audio players, but had been downloaded up to 17 million times.

Shadow IT is a symptom of a wider problem; that employees are taking matters into their own hands when it comes to hardware or software they need in order to work effectively. Some of the most common shadow apps are instant messaging and file sharing apps such as Skype and Google Docs, which staff are installing and using in order to collaborate across the business.

Although using software like Google Docs may seem harmless on the surface, it opens up the risk of employees accidentally (or deliberately) leaving sensitive documents exposed online - the digital equivalent of leaving a document on the train. When staff leave, the IT department need to know that there are no stray files on non-business sharing systems that may have been forgotten about.

Shadow IT doesn't always have to be negative, however. Companies with a bring your own device (BYOD) policy are actively encouraging the use of personal technology in the workplace, often because the benefits of increased productivity and cost savings outweigh the risks. There are also ways that IT departments can reduce security risks with BYOD, including educating staff on secure passwords, encouraging installation of the latest updates and security patches on operating systems, and defining which applications can actually run on a corporate network.

One type of shadow IT that may grow to be a particular problem in businesses is IoT devices. Devices like connected kettles, digital assistants, smart TVs and even fitness trackers are growing in popularity, and all need an internet connection, which in a business, ends up being the enterprise network. There are well-reported issues with IoT devices at present, including the Mirai botnet which has grounded some of the world's biggest technology companies.

For some industries, shadow IT poses challenges around compliance. If data is being transmitted through unofficial channels, it can prove impossible to comply with initiatives like the GDPR, financial standards and data security principles.

Here are some other common implications of shadow IT that businesses may face:

  • Inefficiencies and performance bottlenecks. If shadow IT systems are being used as well as or instead of existing systems, it can be difficult to identify more efficient work processes;
  • Hidden costs from other workers needing to re-check the validity of data, and setting up systems and software without the necessary experience;
  • Inconsistencies in both business logic and approach, with small differences and errors accumulating across versions of applications with no version control or linking between them;
  • Risks of data loss or leaks, as data that goes through unauthorised applications or devices may not be subject to proper backup procedures, or authentication for appropriate access;
  • Wasted investment in software that may be doing the same job in a business.

Business attitudes to shadow IT

Some businesses are very relaxed about shadow IT. They believe that the benefits brought by increased collaboration and innovation, particularly with the pace of change in technology, outweigh any direct security risks, and instead focus on educating employees to be able to identify threats.

Because of the way it encourages productivity and agility, shadow IT can also be used as a prototype for future workflows, technologies and systems that can then be approved in the future.

However, others see shadow IT as a risk to the way staff work, instead believing that it is better for tools to be implemented across an organisation to avoid information and workflow silos. It is also easier for the IT department to identify and combat threats if they're aware of what hardware and software is operating on the business' network.

Managing the risks of shadow IT

It's almost impossible to turn back the clock when it comes to shadow IT, and many staff would resent reverting to a highly locked-down IT environment, especially in a workplace which seeks to encourage collaboration.

Instead, IT professionals must look to manage shadow IT rather than fighting it. This can be done by making a comprehensive list of applications staff are using, and seeing how it varies across departments, which in turn can also be a good way to identify tools that the business can adopt 'officially'.

Endpoint management is one way to keep an eye on all assets and software on a business network. Once these have been identified, the next step is to ensure that these are in line with the company's policies, and to identify potential issues with any vulnerable applications.

Security awareness training can also be a valuable tool in an organisation's security strategy. Making staff aware of the dangers of clicking questionable links to the business network, even from their personal devices, can reduce incidents of carelessness. This is also a good opportunity to reinforce any company policies around personal device and application use, as well as existing software the business may already have access to.

Shadow IT in 2020

The events of 2020 have only accelerated the use of shadow IT as many businesses pivoted quickly to a remote-working model. For organisations that weren’t fully prepared for the pandemic and resulting lockdown, BYOD may have been the only way to allow for operations to continue in the absence of enough hardware to allow employees to continue to work from home.

Some workers may have turned to a series of unsanctioned apps as they sought to create new workflows after the severe disruption of not seeing their colleagues face-to-face or being able to take advantage of any on-premises resources they formerly relied upon. Currently we can’t even speak to our co-workers without the use of an app, so shadow IT systems will have proven invaluable in many situations to keep operations moving amid the disruption.

What this means for organisations and IT departments is that they must be especially vigilant for the vulnerabilities that can be caused by shadow IT in these suddenly hugely dispersed networks. While oversight might be harder under current working conditions, you need to make efforts to keep track of how your employees are working and to emphasise awareness and good practice in order to prevent shadow IT from becoming a serious problem for your organisation.

Esther Kezia Thorpe

Esther is a freelance media analyst, podcaster, and one-third of Media Voices. She has previously worked as a content marketing lead for Dennis Publishing and the Media Briefing. She writes frequently on topics such as subscriptions and tech developments for industry sites such as Digital Content Next and What’s New in Publishing. She is co-founder of the Publisher Podcast Awards and Publisher Podcast Summit; the first conference and awards dedicated to celebrating and elevating publisher podcasts.