Shadow IT

Smartphones, fitness watches and smart coffee machines are quickly registered in the company’s own Wi-Fi network. Cloud services can be used to easily transfer large amounts of data. However, this behavior can pose enormous risks to companies’ data security.

What exactly is shadow IT?

The term shadow IT refers to the use of IT systems, software and services within a company without explicit approval or control by the IT department.

In today’s hyper-connected, digital world, companies are trying to keep pace with the ever-evolving technology landscape. This drive for innovation is certainly essential for many companies to remain competitive, but it can have negative consequences if companies neglect essential security features – above all IT security – in their drive for rapid development, process optimization or even increased profits.

The existence of shadow IT is problematic for companies if it arises over a longer period of time and without the knowledge of those responsible and becomes entrenched in the company. Nevertheless, organizations can also derive positive aspects from the existence of shadow IT. We will show you what these are in the following blog article. We delve deeper into the topic of shadow IT and shed light on its causes, its effects and the measures that should be taken when dealing with shadow IT.

The history of shadow IT

As already briefly mentioned, shadow IT usually arises when employees in a company use solutions, services or tools that have not been provided or approved by the responsible persons or the responsible IT department.

This can happen for various reasons:

• Needs are not being met: Employees may have special needs that are not met by the official IT solutions. For example, a certain function cannot be performed by the tool provided or the handling poses challenges for the user. Employees then often look for alternatives on their own to increase their productivity or optimize their work.
• Flexibility and speed: Official IT processes can sometimes be slow and involve approvals and waiting times. When employees need to act quickly, they often fall back on applications they already know and are familiar with instead of waiting for the official solutions.
• Ease of access: With the advent of cloud services and readily available software, employees can more easily log in and use the applications that suit their needs without having to involve IT managers.
• Lack of awareness of the problem: Sometimes employees are not aware that what they are doing falls under the category of shadow IT. They may see it as a workaround rather than a deviation from official processes.
• Perceived bureaucracy: If the IT department is perceived as too strict or the processes are seen as too bureaucratic, employees may avoid going through the relevant bodies or people.
• Lack of personnel: If the IT department is understaffed or the responsible persons are absent due to illness or on vacation, employees may make their own decisions out of necessity and look for alternatives themselves, thus contributing to the emergence of shadow IT.

It is clear that there are many reasons why shadow IT can arise. Very quickly – and often without realizing it – any employee can contribute to the emergence of shadow IT or the spread of existing shadow IT structures. The following everyday work situations show how employees operate outside of the internal, secure IT infrastructure and what potential threats result from this.

Unauthorized cloud storage usage:

To send a file attachment that is too large, employees use personal cloud storage accounts to transfer company information to another device.

• Possible threats: Data leaks, loss of control over sensitive information, regulatory breaches, lack of encryption, potential exposure to cyber-attacks.

Messaging apps for work communication:

Various teams use unauthorized messaging apps, e.g. Whatsapp, to communicate with each other quickly.

• Possible threats: Lack of end-to-end encryption, potentially insecure sharing of confidential data, lack of control over message storage, risk of malware spreading through file sharing.

Personal project management tools:

The departments use their own management tools to better plan, control, monitor and complete projects.

• Possible threats: Data fragmentation, integration difficulties, security vulnerabilities, inability to maintain consistent project oversight, compromised data privacy.

Unauthorized SaaS subscriptions:

Employees subscribe to unauthorized SaaS applications, e.g. Microsoft 365, for specific tasks.

• Possible threats: Data breaches, Lack of data encryption, Limited visibility into third party data processing practices, Risk of non-compliance with data protection regulations, Insufficient security settings, Lack of security update management

What is so dangerous about shadow devices?

These four examples alone show some of the potential threats that could arise from the presence of shadow IT. The problem with using shadow devices can be summarized relatively easily: You can’t secure what you don’t know.

This means that every device and every program represents a potential security risk for company data. If those responsible are not aware of their existence, they cannot take the necessary security or data protection-related precautions. For example, employees cannot be made aware of the specific dangers of the individual technology, data protection settings are not set and security programs such as firewalls are not or only insufficiently set up.

In general, the attack surface for cyber criminals increases when additional programs and devices are used and the IT infrastructure becomes more complex as a result. This factor is significantly increased if these applications are used unsecured.

Shadow IT can also have positive effects on a company (promoting innovation, faster decision-making by employees or research into new technologies), but the risks outweigh the benefits.

In addition to the data security risks mentioned above, the loss of data and control or breaches of compliance guidelines, additional costs can also arise for the company if, for example, different departments use similar applications separately from one another and therefore pay twice for licenses or subscriptions. Loss of productivity or problems with scaling can also occur if the shadow IT is not designed for growth processes.

Dealing with and combating shadow IT

If it is determined that shadow IT has become established in the company or is in the process of developing, measures should be taken. The aim should be to create a safe, efficient and productive working environment for employees. An analysis of why shadow IT has spread is recommended. Perhaps one of the reasons mentioned above is the trigger. The reasons should then be understood and work together with the team to solve the problem. This can be achieved by following the tips below.

1. Recognize and understand: It should be understood why shadow IT exists or why it has arisen. It is important to understand the motives and respond to the needs of employees.
2. Open communication: Encourage staff to share and discuss their needs openly and transparently with the IT department or the people in charge.
3. Education: Inform your employees about the risks of shadow IT.
4. Cooperative solutions: Work together with employees to find solutions. Work with the team to find services, tools and applications that meet their needs.
5. Process optimization: Implement streamlined processes for the introduction of new applications, the approval of new technologies and the provision of these tools.
6. Regular audits and feedback loops: Conduct regular investigations to identify unauthorized applications and ask your employees whether they are satisfied with existing processes and applications.
7. Updates: Keep the IT you use up to date to adapt it to changing needs.
8. Celebrate successes: Show your team why an application or solution should be used or what positive developments have resulted from its use.