Table of Contents
Shadow IT poses significant challenges for organisations and their IT departments. It requires a strategic approach to address the security and compliance risks that come with shadow IT, all while balancing the need to empower employees with the appropriate tools and technologies.
Cybersecurity Education and Training Begins Here
Here’s how your free trial works:
- Meet with our cybersecurity experts to assess your environment and identify your threat risk exposure
- Within 24 hours and minimal configuration, we’ll deploy our solutions for 30 days
- Experience our technology in action!
- Receive report outlining your security vulnerabilities to help you take immediate action against cybersecurity attacks
Fill out this form to request a meeting with our cybersecurity experts.
Thank you for your submission.
What Is Shadow IT?
Shadow IT refers to the use of hardware, software, or cloud-based services in an organisation without the knowledge or approval of the central IT department. This typically happens when employees use unsanctioned applications, devices, or cloud services to perform their work more efficiently or conveniently without going through the official IT procurement and approval processes.
Shadow IT includes using personal devices, file-sharing tools, messaging apps, productivity software, and other cloud-based services that the organisation’s IT team does not manage or support.
The rise of cloud computing and the consumerisation of IT have contributed to the proliferation of shadow IT, as employees have easier access to a wide range of self-service technologies to meet their specific needs. While shadow IT can boost employee productivity and innovation, it also introduces significant security and compliance risks for the organisation, as unsanctioned technologies may not be subject to the same security measures and controls as approved IT systems.
Examples of Shadow IT
Shadow IT can manifest in a variety of ways in an organisation, as employees seek out unsanctioned technologies to improve their productivity and efficiency. Some common examples of shadow IT include:
Unauthorised Cloud Applications and Services
Employees may use personal accounts for cloud-based productivity, collaboration, or file-sharing tools, such as Slack, Trello, Dropbox, or Google Drive, without the knowledge or approval of the IT department. That means sensitive corporate data may be stored and shared outside the organisation’s secure environment.
Bring-Your-Own-Device (BYOD) Practices
Employees may use their personal laptops, tablets, smartphones, or other devices to access corporate resources and perform work-related tasks, bypassing the organisation’s device management and security policies. This can introduce vulnerabilities and make it more difficult for the IT team to maintain control over the technology landscape.
Unauthorised Software Installations
Workers may install unapproved software, such as messaging apps (e.g., WhatsApp, Skype), generative AI tools, or other productivity applications, on their corporate-issued or personal devices to streamline their workflows. These unsanctioned applications may not be subject to the same security controls and patch management processes as the organisation’s approved software.
Rogue IT Projects
In some cases, employees or even entire departments may initiate their own IT projects or acquire new technologies without the knowledge or approval of the IT team. This can lead to deploying systems or applications that are not integrated with the organisation’s existing infrastructure, creating operational inefficiencies and security risks.
Unauthorised Data Storage and Sharing
Employees may use personal email accounts, USB drives, or other unsanctioned file-sharing methods to store and transmit corporate data, bypassing the organisation’s data governance and security policies. This can result in losing control over sensitive information and increase the risk of data breaches or compliance violations.
Shadow IT can emerge within an organisation in diverse ways, often driven by employees’ desire to improve their productivity and efficiency. However, using these unsanctioned technologies can expose the organisation to significant security, compliance, and operational risks that must be addressed through a comprehensive shadow IT management strategy.
Types of Shadow IT
Several common types of shadow IT can emerge in organisations:
- SaaS applications: The implementation of cloud-based software-as-a-service (SaaS) applications, such as productivity tools, collaboration platforms, or file-sharing services, without the knowledge or approval of the IT team. These unsanctioned SaaS apps may lack proper access controls, security measures, and data governance policies.
- Personal devices and email accounts: Using personal laptops, tablets, smartphones, or email accounts to access, store, or share corporate data, which bypasses the organisation’s security policies and controls. This can lead to data leaks and compliance issues.
- Virtual machines: Employees create and use virtual machines on their desktops, servers, or in the cloud without the IT department’s knowledge or oversight. This can lead to vulnerabilities, default accounts, and poor configuration hygiene.
- Shadow IoT devices: This includes smart, connected devices like fitness trackers, cameras, printers, and even some medical devices that employees bring into the workplace without the knowledge or approval of the IT department. These devices can introduce vulnerabilities and provide potential pathways for threat actors to access the corporate network.
- Rogue network subnets: The addition of new network subnets, often due to office expansions or company acquisitions, that are not properly managed or integrated into the organisation’s overall network infrastructure. These “shadow” subnets can create blind spots and security risks.
- Unauthorised network hardware: Employees connect devices like consumer-grade Wi-Fi access points, printers, cameras, or other hardware to the corporate network without the IT team’s knowledge or approval. These unmanaged devices can expose the organisation to potential vulnerabilities and security breaches.
By understanding the various types of shadow IT, organisations can develop more targeted strategies to identify, manage, and mitigate the associated risks.
Managing Shadow IT
Now, let’s consider best practices to effectively manage shadow IT and mitigate its risks.
Gain Visibility
The first step is to gain visibility into the organisation’s shadow IT landscape. Specialised tools can continuously monitor the network and cloud environments to identify unsanctioned applications, devices, and services. By having a comprehensive inventory of shadow IT assets, organisations can better understand the scope of the problem and prioritise their mitigation efforts.
Establish Clear Policies and Guidelines
Organisations should develop and communicate clear policies and guidelines around the use of technology in the workplace. These policies should outline the approved software, hardware, and cloud services that employees can use, as well as the process for requesting and obtaining approval for new technologies.
Empower Employees with Approved Tools
To reduce the need for employees to turn to shadow IT, organisations should ensure that they have access to a comprehensive suite of approved and supported tools that meet their productivity and collaboration needs. By proactively providing employees with the right tools and resources, organisations can minimise the incentive for them to seek out unsanctioned alternatives.
Implement Security Controls
Organisations should implement robust security controls, such as multi-factor authentication, encryption, and access management, to secure both sanctioned and unsanctioned technologies. Additionally, they should ensure that all devices and applications are properly patched and updated to mitigate known vulnerabilities.
Educate and Train Employees
Ongoing employee education and security awareness training are crucial for managing shadow IT. Employees should be made aware of the potential risks associated with shadow IT, as well as the approved processes for requesting and using new technologies. Regular security awareness training can also help employees recognise and avoid potential threats, such as phishing attacks or data breaches.
Collaborate with Employees
Rather than taking a heavy-handed approach, organisations should work collaboratively with employees to understand their technology needs and find approved solutions that meet their requirements. A collaborative approach can help foster a culture of trust and transparency, where employees feel empowered to work with the IT department to address their technology needs.
By implementing these best practices, organisations can gain more control over shadow IT activity, mitigate the associated risks, and empower their employees to work more efficiently and securely.
Shadow IT Risks & Issues
The proliferation of shadow IT in organisations can introduce a range of significant risks and issues that should be addressed.
Security Risks
Using unsanctioned applications and devices outside the control of the IT department can create significant security vulnerabilities. These unauthorised technologies may not have the same security controls, encryption, or access management protocols as approved corporate systems, exposing the organisation to potential data breaches, malware infections, and other cyber threats. Without visibility into the shadow IT landscape, the organisation’s attack surface expands, making detecting and responding to security incidents more difficult.
Compliance Violations
Many industries are subject to strict regulatory requirements for handling and storing sensitive data. When employees use unapproved applications and cloud services to store or share corporate data, the organisation may be at risk of non-compliance with relevant laws and regulations, such as HIPAA, GDPR, or PCI-DSS. The use of shadow IT can lead to costly fines, legal penalties, and reputational damage if the organisation violates these compliance standards.
Data Governance
Shadow IT can result in losing control over corporate data, as employees may store sensitive information on personal devices or in unsanctioned cloud storage solutions. This makes it challenging for the organisation to maintain proper data governance, backup, and disaster recovery procedures, potentially leading to data loss or leakage. Additionally, the use of multiple, uncoordinated applications can create “data silos”, making it difficult to obtain a comprehensive view of the organisation’s information assets.
Control Issues
Many workers deploy cloud apps in the corporate environment with the best of intentions. They’ve discovered an app that works great, and they use it and share it with colleagues. But IT hasn’t approved it because they don’t know about it.
The IT team might think they have 20 or 30 shadow apps on their network, which might be manageable. But when they run a Shadow IT discovery check, they’re shocked to find 1,300 such applications they had no idea were there. The more unknown apps on the network, the greater the risk from shadow IT. And you can’t secure what you don’t know about.
Operational Inefficiencies
The proliferation of shadow IT can lead to “app sprawl”, where different departments or individuals unknowingly acquire duplicate or overlapping software solutions. The result is wasted time, money, and resources as the organisation struggles to manage and maintain these disparate systems. Additionally, the lack of integration between shadow IT applications and approved corporate systems can hinder collaboration and productivity.
Talent Management Challenges
When employees use unsanctioned technologies, it can create difficulties in managing and supporting the organisation’s technology landscape. IT teams may struggle to provide adequate support and training for these unauthorised applications. Losing an employee responsible for a shadow IT solution can leave the organisation with a knowledge gap and operational disruptions.
Are There Benefits of Shadow IT?
While shadow IT poses significant risks to organisations, there are also potential benefits that should be considered:
- Increased employee productivity and efficiency by allowing the use of preferred tools and applications.
- Reduced IT costs by leveraging free or low-cost cloud-based services without central IT involvement.
- Empowerment of employees to innovate and find creative solutions to their work challenges.
- Optimisation of limited IT resources by allowing employees to self-provision basic services.
- Improved communication and collaboration through the use of cloud-based tools.
While these benefits can be compelling, organisations must carefully weigh them against the significant security, compliance, and operational risks associated with shadow IT. A comprehensive shadow IT management strategy is necessary to strike the right balance between empowering employees and maintaining control over the technology landscape.
Shadow IT Threats
In today’s cloud-first world, governing your users’ access to both IT-authorised and unauthorised apps (Shadow IT) has never been more important. The average enterprise has an estimated 1,000 cloud apps in use. And some of these have serious security gaps that can potentially put organisations at risk and violate compliance regulations and mandates. The widespread use of shadow IT poses many cybersecurity threats:
- Expanded attack surface and reduced visibility into the organisation’s IT environment, making it easier for cybercriminals to exploit vulnerabilities and gain unauthorised access.
- Data breaches and leaks of sensitive corporate data, such as personally identifiable information (PII), financial records, or intellectual property, due to the use of unsecured cloud-based applications and file-sharing tools.
- Malware infections and the potential spread of cyber threats throughout the organisation’s network, as unsanctioned devices and applications may not be subject to the same security protocols and antivirus protections as approved IT systems.
- Credential theft and unauthorised access to corporate systems and resources due to employees storing login credentials for shadow IT applications in unsecured locations.
- Insider threats and the potential for data exfiltration, as disgruntled or careless employees may use shadow IT to bypass security controls and steal sensitive information.
- Operational disruptions and loss of productivity due to the use of unsupported technologies, as the IT department may struggle to provide adequate support and maintenance for these unauthorised applications.
A common shadow IT is when a user grants broad OAuth permissions to third-party apps. This inadvertently violates data residency regulations, such as GDPR. In addition, attackers often use third-party add-ons and social engineering to trick people into granting broad access to your approved SaaS apps—such as Office 365, G Suite, and Box—that typically contain sensitive data.
Why Is Shadow IT Increasing?
Several key trends and statistics indicate that shadow IT is rising within organisations. Below are some of the most compelling reasons why shadow IT is increasing.
- Shift to remote and hybrid work: The global shift to remote and hybrid work models during the COVID-19 pandemic has been a major driver of the increase in shadow IT. As employees work from home, they have sought out new cloud-based tools and applications to maintain productivity and collaboration, often without the knowledge or approval of the IT department.
- 65% of experienced remote workers use shadow IT: Data shows that 65% of employees already working remotely before the pandemic are currently using some form of shadow IT, compared to only 31% working remotely after the pandemic. This suggests that the more comfortable employees become with remote work, the more likely they are to adopt unsanctioned technologies.
- Accelerated digital transformation: The need for rapid digital transformation to support remote work and online business operations has led many organisations to quickly adopt new cloud-based tools and services. However, this has often outpaced the ability of IT teams to properly vet and approve these technologies, resulting in the proliferation of shadow IT.
- 97% of cloud apps used in the average enterprise are shadow IT: Research by Netskope found a staggering 97% of cloud applications used within the average enterprise are considered shadow IT—not approved by the central IT department. This highlights the scale of the shadow IT challenge facing many organisations.
- Desire for productivity and efficiency: Employees often turn to shadow IT solutions because they perceive them as more user-friendly, efficient, or better suited to their specific needs than the approved corporate tools.
- 60% of office workers use shadow IT because it’s easier than dealing with IT: Statistics show that around 60% of office workers use shadow IT because they find it easier than working with their company’s IT team. This suggests that the perceived friction or bureaucracy associated with the IT department can be a significant factor in the rise of shadow IT.
These findings underscore a mounting need for organisations to better address the underlying drivers of shadow IT and develop more effective strategies to manage and mitigate the associated risks.
How Proofpoint Can Help
From data breaches and malware infections to compliance violations and operational disruptions, the prevalence of unsanctioned applications and devices can leave corporate assets vulnerable to a wide range of cyber threats. To effectively mitigate these shadow IT risks, organisations should consider implementing comprehensive solutions like those offered by Proofpoint.
Proofpoint’s Shadow solution transforms endpoints into a “web of deceptions”, making it difficult for attackers to move laterally within the network and gain access to critical assets. By using over 75 active deception techniques, Shadow can imitate credentials, connections, data, and other artefacts that appear valuable to threat actors, allowing security teams to detect and track their activities. Additionally, Proofpoint’s Identity Threat Defense Platform provides end-to-end protection against identity-based threats, helping organisations discover and remediate vulnerable identities, as well as detect and respond to active threats.
Proofpoint’s CASB solution can further help govern the use of shadow IT cloud apps and services by offering a centralised view of your cloud environment. It provides insights into who is accessing what apps and data in the cloud from where and from which device. CASBs catalogue cloud services (including third-party OAuth apps), rate the risk level and overall trustworthiness of cloud services, and assign them a score. CASBs even provide automated access controls to and from cloud services based on cloud service risk scores and other parameters, such as app category and data permissions.
By leveraging these advanced security solutions, organisations can gain visibility into their shadow IT landscape, deploy deceptive techniques to thwart attackers, and enhance their overall security posture. As the threat landscape continues to evolve, it’s crucial for businesses to proactively address the risks posed by shadow IT and protect their valuable data and resources. By partnering with Proofpoint, organisations can stay ahead of the curve and safeguard their operations against the growing menace of shadow IT. To learn more, contact Proofpoint.