Skip to content

Do You Have Shadows Lurking In Your IT?

by Bob Giguere | December 13, 2024

Illustration by GCA showing a diagonal column of blue boxes in varying sizes and shades.

What is Shadow IT?

When you think of a shadow, what are some of the first things that come to mind: maybe a scene from a scary movie you watched against your better judgement, or perhaps an ominous late night venture through an alleyway. While shadows often boast a pretty negative connotation, the real question is what do they mean for your IT environment?

Shadow IT refers to software, programs, or general technology that is adopted by users within an organization without the knowledge of the central IT department. Shadow IT can come in a variety of forms such as data, services, and API’s, but the most common avenue of participation is (not surprisingly) applications. In a world dominated by applications for everything from practical functionalities such as home utilities and grocery delivery to slightly more, uhm, creative ones for location based cuddling  and demotivational pictures, it’s not surprising that users are engaging in application deployment for their unique needs or to fill functional gaps within the IT environment. For context, some of the most common types of Shadow IT applications include:

  • Productivity apps such as Trello, Slack, and Asana
  • Messaging apps WhatsApp or SnapChat on corporate-owned devices
  • Cloud storage like DropBox and Google Drive
  • Communication apps including Skype

While many of these software services likely sound familiar and may be deployed harmlessly and safely under the supervision of your IT department, the threat does not lie in the apps themselves but in the lack of awareness within your environment when users make rogue downloads. It is very difficult to effectively manage technology risk if your central IT professionals are unaware of the software in the workplace in the first place.

The Spooky Risks of Shadow IT

But the risk to corporations extends beyond a simple lack of visibility and management. Let’s take a step back to review a statistic that may look familiar: an average data breach costs an organization $3.8 million, not to mention the damage to brand reputation and extended influence on revenue. Looking at future breach expectations, it’s estimated that one third of data breaches will be the result of infiltration through shadow IT software by 2020. Recognizing the potential financial and brand implications solidifies that Shadow IT is both a business and IT risk that should be addressed as part of a foundational security strategy and to maintain regulatory compliance.

Shine A Light On Your Shadow IT

Adjusting your IT strategy to accommodate the need to identify and secure Shadow IT instances is no small undertaking. To put it into context, it is estimated that 98% of cloud services are Shadow IT in a large enterprise, and the number of instances is growing rapidly as applications and services continue to innovate and become more readily available. Starting to feel like your organization is walking down that ominous alleyway followed by lurking shadows? There are some simple steps your organization and its leadership can take to ensuring the proper management of Shadow IT, and the two most important are outlined below:

  1. One of the most common contributors to user participation in Shadow IT is that they simply feel their needs are not being addressed by the available IT resources in their environment. Ensuring that employees have access to the applications they need to do their jobs their jobs both effectively and efficiently is imperative. Particularly as business evolves and adapts to changing environments, security leaders should actively listen to the needs of their users and act upon them promptly to ensure users don’t feel pressured to employ their own solutions- which will result in both business performance and risk optimization.
  2. Adopt an IT strategy that specifically outlines the company guidelines regarding Shadow IT and ensure that users are aware and educated on it. While security education is not a silver bullet for information protection, it is a necessary first step in the right direction. Most employees do not engage is the activity with malicious intent, and many are not aware that what they are doing even goes against company policy. By simply informing users, it can substantially eliminate the number of shadow cloud activities which helps to reduce overall organizational risk.

While the suggestions sound almost too simple, the reality is that a large portion of the 98% can be contributed to a simple lack of awareness from both the employees that they are engaging in activities against company policy and lack of awareness from the organization itself about user needs. Acknowledging how to best serve your users, particularly in a timely manner, may just be the ray of sunshine needed to make those shadows disappear.