Shadow IT: What Is It, and What Do Cybersecurity Pros Need to Know?

Shadow IT refers to any technical solutions or applications that are adopted and used by end users without the approval and/or knowledge of centralized IT teams. While these applications lack governance, they are most often acquired by end users with the best of intentions.

1.11 Blog Post ThumbnailIf you think about your favorite horror film, there’s always something lurking in the shadows. Much to the disadvantage of the main character, it usually doesn’t turn out well. Similar to these horror movies, shadow IT isn’t a terribly positive aspect of the technology world. Shadow IT is that ubiquitous, yet potentially disastrous problem that comes about when end users adopt a tool that isn’t secure. Is it good or is it bad? That’s the question.

What Is Shadow IT?

Shadow IT refers to any technical solutions or applications that are adopted and used by end users without the approval and/or knowledge of centralized IT teams. While these applications lack governance, they are most often acquired by end users with the best of intentions.

However, despite the perceived goal, shadow IT can cause compliance and security issues for organizations. As any cybersecurity pro will tell you, it is extremely difficult for organizations to ensure data does not become compromised when shadow IT is in play.

Here are some common sources of shadow IT:

  • File storage: Applications like Google Drive and Dropbox offer enticing file storage options, some for free, that host files in the cloud instead of bogging down local devices with tons of files.
  • Productivity or project management apps: Popular apps like Trello and Asana are great for keeping to-do lists under control, but they often aren’t regulated and can contain sensitive information.
  • Messaging: Applications like What’sApp or Snapchat can be problematic if messages contain personally identifiable information (PII) or other protected info.
  • Social media: Users often unwittingly share sensitive information without any monitoring or oversight, which can quickly become a very public spectacle.
  • Calendars and scheduling: Third-party calendars help keep business and personal details in a single place, but meeting info or company details may inadvertently be lost or compromised.
  • Email: The average user has two email addresses and sends approximately 40 business emails per day. The lines can easily be blurred between personal and business accounts, making unsupervised emails a looming shadow IT issue.
  • BYOD: The Bring Your Own Device (BYOD) trend has allowed businesses to save some overhead, but a blended personal and business device leaves a lot of room for error. Imagine how often you’ve sent a text to the wrong person or a child accidentally hits the wrong button while playing a game. It’s a real struggle.

Securing What’s Lurking in the Shadows

Shadow IT is problematic for a variety of reasons. For one, there’s the financial issue of business lines purchasing applications that duplicate existing solutions, wasting money.

Beyond cost issues, shadow IT creates a significant security concern for technology teams. In a world dominated with headlines of breaches and data leaks, shadow IT makes it difficult to provide a secure environment.

And, as governance concerns grow, shadow IT also brings about a major problem for cybersecurity professionals. How can you secure something if you don’t know it’s there?

Track Resources reports that 80% of workers admit to using software as a service (SaaS) applications without getting approval from IT, with the average business boasting a whopping 975 unknown cloud services. And 83% of IT professionals reported that employees stored company data on unsanctioned cloud services.

These stats speak volumes, causing widespread concern about the consequences of unsecured apps. While it may seem that simply locking things down is the right path, there are concerns with productivity.

Since IT is a constantly shifting landscape, using innovative tools isn’t just a matter of improved efficiency – it can also be viewed as a lack of competitive edge. In fact, the same Track Resources report showed that 77% of surveyed professionals believe their organization could gain an advantage from embracing shadow IT solutions.

Of course, tried-and-true solutions aren’t free from problems either. Legacy systems pose their own set of security concerns.

“As legacy IT systems age … the security risks increase, compounded by the fact that many of these systems are critical to the business and often cannot be decommissioned or replaced because of high costs, complexity or lack of suitable alternatives,” Warwick Ashford wrote in Computer Weekly.

How to Strike the Right Balance with Shadow IT

The threats posed by shadow IT are real, but imposing further restrictions doesn’t always lead to a more secure environment. It can actually have the opposite effect. Enhanced rules may cause workers to venture outside of approved IT more, rather than less—especially if they feel their pain points are being ignored.

Striking the right balance consists of developing the right company policies while listening to end user pain points and training employees to identify threats like social engineering.

1. Develop Informed Company Policies

If shadow IT is an inevitability to a certain degree, it’s wise to develop company policies that will allow for usage while still protecting your data. You could permit shadow IT that doesn’t impact mission-critical systems or possibly integrate shadow IT with high usage as part of your supported technology. (Here’s one example of a shadow IT policy.)

2. Listen to Your User Requests

Ultimately, if your users feel unsupported and frustrated by constant refusals for IT requests, they are more likely to seek out unapproved applications. If you keep an open ear to constituency concerns and work diligently to provide end users with the functionality they need, you’ll be less likely to encounter shadow IT.

3. Educate on Social Engineering

Shadow IT is an enticing entry for accomplished social engineers. A sophisticated smishing attack might yield precious company data if executed well on a BYOD device, for example. Teach users the danger of social engineering, and you could thwart unwanted problems.

At the beginning of this article, we posed the question: is shadow IT good or bad? The answer is it can be a bit of both. Utilizing innovative tools to boost productivity is certainly a good thing. But using too many of these tools with abandon, can be costly. Find the right balance and you’re on your way to a happy, productive and secure work environment.  

Ready to upgrade your IT skills? We've got great news! You can save big on CompTIA certifications and training right now.

Email us at blogeditor@comptia.org for inquiries related to contributed articles, link building and other web content needs.

Read More from the CompTIA Blog

Leave a Comment