What is shadow IT?

Shadow IT refers to any unapproved hardware, software, applications, and services that employees use outside of what your IT team knows about or monitors. The concept covers anything from personal devices used for work (bring your own device, or BYOD) to unauthorized consumer cloud tools. While the meaning of shadow IT is not inherently “bad,” it can cause data breaches and compliance violations — words you never want to hear used in the same sentence as your company name!!

That’s why it’s time to bring shadow IT into the light, because it’s critical to your cybersecurity, and it presents a valuable opportunity to bridge the gap between IT and other departments. Let’s dig into shadow IT: the good, the bad, and the ugly.

To learn more about this, check out the Jira ITSM Best Practices Guide:

Examples of shadow IT

Shadow IT encompasses a lot of scenarios and issues. What may seem like a harmless, even innovative, workaround to someone in sales could mean a days- or months-long headache to someone in IT. Or worse, a lawsuit, a federally commissioned investigation, or significant loss of revenue.

Here are some shadow IT examples you might encounter:

• Business conducted via personal email
• Cloud-based file sharing, e.g. Dropbox or Google
• User-friendly design tools, e.g. Canva or Visme
• Third-party SaaS apps
• Messaging or VoIP apps, e.g. Slack, Whatsapp, or Skype
• Sales and marketing tools, e.g. Mailchimp or Eventbrite
• Personal laptops, cell phones, and other devices

The most important thing to understand is that most of these tools, in and of themselves, don’t present any threat. Problems with shadow IT arise, however, when IT doesn’t know about their internal use. 

Shadow IT problems and risks

The IT team sometimes finds themselves at odds with other teams in the organization, especially on questions of security. The IT department is tasked with finding, maintaining, and monitoring the tools that employees need to do their jobs, while protecting the organization from vulnerabilities and security breaches. Employees in other departments want to do their jobs efficiently, effectively, and with as little friction as possible. And everyone wants to do their job well. But how the job gets done can lead to some “spirited debates.” 

IT wants safe and secure solutions, even if that means a steeper learning curve, slower employee adoption rates, and protections that may slow users down. Your non-IT folks want easy-to-use, intuitive tools that don’t feel like one more thing they have to learn, manage, or integrate into yet another system. Though employees outside of IT generally don’t have bad intentions, the rogue processes they adopt can introduce major shadow IT problems and risks.

Security attacks

This is the critical thing to remember about shadow IT: One data breach is all it takes to put your entire organization’s future at risk. Maybe you work in healthcare and your sales team travels every week. They use their own devices, which they’ve set up with IT, but “protect” them with an easy password like Password123 or MrWhiskers17. These devices contain protected health information. One team member leaves their device at the airport, and it’s never seen again. In the wrong hands, that missing device becomes a HIPAA disaster. 

The security solution landscape continues to change rapidly, which makes a strategy like Zero Trust Security a workable model because it focuses on the security needs of each end user rather than trying to create a protective barrier around the entire company.

Revenue loss

Lawsuits are expensive. Cyber security attacks and data breaches can lead to a world of hurt legally, but you know what else is expensive? When IT is pulled into an emergency, all-hands-on-deck situation for a day, a week, or a month, to fix a problem caused by shadow IT. Now the IT team is heads down on an issue that shouldn’t even exist (remember, shadow IT is unauthorized technology used to conduct business) which leaves other IT concerns to languish, and the problem might even shut down vital services, like a CRM, procurement, or an online retail shop. Those losses add up fast.  

Reputation damage

You never want to give people a reason to distrust your organization, your product or service, or their own security. It takes a lot of time and energy to build a solid reputation, so don’t let shadow IT risks undermine your efforts! The safety and security of your business, employees, and customers has to be your top priority. 

Information should only be accessible to people who need it to perform their jobs. Apps and software need to be authorized through IT so you don’t end up spending thousands (or even millions) on shadow IT app licenses each year. Personal devices used for business should only run approved messaging, email, and file sharing applications so if devices are lost or someone’s employment ends, your company’s data doesn’t walk out the door, too.

Internal strife

This one’s a biggie, and it gets to the fundamental reason employees turn to shadow IT, knowingly or unknowingly. The more IT systems and procedures you ask employees to understand and navigate, the more those employees will crave convenience and ease of use. As is often the case, lack of communication can cause a lot of problems. Employees may not understand the range of approved tech internally. Maybe they were never onboarded to use a specific tool. Maybe they’re more comfortable with something they used at their last job. Who knows? Necessity (or even strong personal preference) is the mother of shadow IT more often than not. 

But here’s the exact moment an issue turns into an opportunity.

Benefits of shadow IT

Shadow IT isn’t all bad! Sure, scary things can lurk in the shadows, but also think about how great a nice, shady spot is on a hot day. So bust out your picnic blanket and let’s talk about the benefits of shadow IT. 

Cultural shifts in communication

IT may have great resources to get new hires set up with approved apps and systems, but if HR or account leads don’t know about them or haven’t been looped into updates, there’s little chance that information travels any further than IT itself. 

Getting ahead of shadow IT, whether that’s through quarterly “Tech Talk” listening sessions with departments or email updates on new resources, creates better cross-team communication and greater adoption and use of approved IT solutions. It also saves time, money, and headaches. 

More innovation

If IT systems make a job harder, employees will almost certainly start looking for a workaround.  Create a dedicated space for people to advocate for or inquire about tech solutions that make work flow. When appropriate, these discoveries can help people in other departments, improve job satisfaction and productivity, reduce frustration, and save money by weeding out tech redundancies or rogue licenses and subscriptions. 

Better work

Shadow IT creates an opportunity for interested parties to meet halfway. There will be things that IT just can’t budge on due to security and compliance concerns. But there are other things IT can ease up on (a little). Giving employees some leeway to choose the solutions that improve their work is good business. Let them find and use what they need, while ensuring IT gets to control (and protect) data and manage user applications. Ultimately, IT and your other employees are all on the same team: your team.

Tap into the resources that bring shadow IT into the light so you can protect and grow your organization, improve quality of life for employees, and turn bottlenecks into breakthroughs. Discover the full range of Appfire ITSM Solutions and learn how to reinforce cloud security, because shadow IT loves to hide out in the cloud.

For expert advice, information, tools, and resources on security and compliance, explore The Hub, by Appfire.

Last updated: 2023-06-05