Shadow IT

What is shadow IT?

Shadow IT is the practice of using hardware or software within an organization without the knowledge or approval of the organization's IT department. As these unsanctioned applications slip under the IT department's radar, their security remains questionable, and they carry the potential to wreak havoc on your network if left undetected. This is why it's important to discover shadow IT.

Shadow IT discovery

Shadow IT discovery is the process of detecting unauthorized services being used within an organization. Detecting the services being used and the magnitude of their usage helps IT departments regulate shadow IT. Here are a few ways to detect shadow IT:

  • Employee surveys:

    Periodically conducting employee surveys can help IT departments gain insights on the unauthorized services being used.

  • Network traffic analysis:

    IT departments can monitor network traffic to identify unauthorized applications and cloud services that are being used within the organization.

  • Endpoint detection and response (EDR):

    EDR tools can be used to monitor endpoint activity to detect unauthorized applications and cloud services.

  • Cloud access security brokers (CASBs):

    CASBs can be used to identify and monitor the use of unauthorized cloud services.

Shadow IT in cybersecurity

Employees leverage shadow IT to enhance their productivity, but seldom consider the implications for the IT administrator while doing so.

From a cybersecurity standpoint, these unauthorized services may not have adequate security measures in place, such as encryption, access controls, or secure data storage. This can lead to the exposure of sensitive data to unauthorized individuals, including cybercriminals.

Additionally, the lack of oversight and control over shadow IT can make it difficult for the IT department to detect and respond to security incidents. This can delay incident response and increase the likelihood of data loss or system compromise.

Shadow IT examples

Shadow IT can take various forms, based on the user's intent. A few widely-used applications include:

    Cloud services
    Cloud storage services like Google Drive or Dropbox for file storage, sharing, or collaboration.
    Messaging apps
    Apps like Slack and Yammer, which are used to build forums for business discussions.
    Personal devices
    Using vulnerable personal mobile phones or laptops for remote work.
    Software applications
    Various software can be used to eliminate tedious tasks, streamline workflows, and enhance productivity.
    Social media
    Apps like LinkedIn for networking, prospecting, or any work-related tasks.

Why do people use shadow IT?

According to G2, about 35% of employees feel the need for shadow IT applications as a workaround. Here are a few reasons why people use them:

  • Productivity:

    Employees leverage shadow IT applications to enhance their productivity, as they feel their organization's sanctioned applications are too restrictive.

  • Convenience:

    Employees are accustomed to their preferred tools and choose them over an unfamiliar tool.

  • Lack of IT support:

    Employees turn to shadow IT applications when IT support is slow to respond or inadequate.

  • Lack of awareness:

    The awareness around shadow IT and its risks is limited. Roughly one in every five organizations does not have a shadow IT policy in place.

Shadow IT policies

Organizations have seen a steady rise in remote work and BYOD policies, contributing to surge in shadow IT. In 2020, the first year of the COVID-19 pandemic, shadow IT exploded by 59%. The growing use of unauthorized services makes it critical for organizations to regulate shadow IT. An organization-wide shadow IT policy must:

  • Explicitly define what is considered to be shadow IT.
  • Describe the roles and responsibilities of an employee when it comes to using shadow IT.
  • Outline how employees must report the use of shadow IT applications.
  • State the consequences if an employee does not report the usage of shadow IT.
  • Outline the process of review and approval of new technology services.

Shadow IT solutions

Employees are adopting generative AI services like ChatGPT and Bard for a wide range of applications, from creating content to generating complex pieces of code. But the usage of these services often occurs unbeknownst to their organizations, leading to a surge in shadow IT. Samsung has reportedly banned its staff from using generative AI tools after employees accidentally leaked data via ChatGPT. Across every industry, organizations must fortify their IT infrastructure to tackle shadow IT. A few measures to consider include:

    Implementing shadow IT policies
    Having stringent organization-wide policies on the usage of unauthorized devices, software, and services can help employees make informed decisions on the use of shadow IT.
    Increasing employee awareness
    Mandatory courses on shadow IT, the associated risks, and compliance can educate employees about their responsibilities.
    Adapting to technology
    Tools like cloud access security brokers (CASBs) and endpoint detection response (EDR) can help to detect unauthorized services being used within the organization.
    Streamlining approval workflows
    IT departments can identify the shadow IT applications that are most frequently used, inspect them for potential threats, and approve their usage.

Leverage the power of the cloud with Cloud Protection

With a CAGR of 17.9% and a speculated market size of $1.2 trillion by 2027, cloud services are here to stay. So it's time for your IT department to be agile towards leveraging the power of cloud while staying foolproof from malware lurking in unsecure sites. Following these eight best practices for cloud application security can also boost your cybersecurity posture.

Deploying tools like ManageEngine DataSecurity Plus with Cloud Protection capabilities can help you:

  • Get a bird's eye-view of web application usage in your organization.
  • Discover which sanctioned, unsanctioned, and shadow apps are being used.
  • Detect attempts to access banned and shadow websites.
  • Prevent employees from accessing unproductive, unsafe, and inappropriate websites.

Try DataSecurity Plus, and don't let shadow IT overshadow your network security.

Download a free, 30-day trial
Email Download Link