Shadow IT is any software, hardware or information technology (IT) resource used on an enterprise network without the IT department’s approval, knowledge or oversight.
Examples of shadow IT include sharing work files on a personal cloud storage account, holding meetings through an unauthorized video conferencing platform when the company uses a different approved service, or creating an unofficial group chat without IT approval.
Shadow IT does not include malware or other malicious assets planted by hackers. It refers only to unsanctioned assets deployed by the network’s authorized end users.
End users and teams typically adopt shadow IT because they can start using it without waiting for IT approval, or because they feel it offers better functionality for their purposes than whatever alternative IT offers. But despite these benefits, shadow IT can pose significant security risks. Because the IT team is unaware of shadow IT, it doesn’t monitor those assets or address their vulnerabilities. Shadow IT is particularly prone to exploitation by hackers. According to the IBM Security® Randori® State of Attack Surface Management 2022 report, nearly 7 in 10 organizations have been compromised by shadow IT from 2021 to 2022.
Get insights to better manage the risk of a data breach with the latest Cost of a Data Breach report.
Register for the X-Force Threat Intelligence Index
According to Cisco (link resides outside ibm.com), 80% of company employees use shadow IT. Individual employees often adopt shadow IT for their convenience and productivity—they feel they can work more efficiently or effectively using their personal devices and preferred software, instead of the company’s sanctioned IT resources.
This has only increased with the consumerization of IT and, more recently, with the rise of remote work. Software-as-a-service (SaaS) enables anyone with a credit card and a bare minimum of technical knowledge to deploy sophisticated IT systems for collaboration, project management, content creation and more. Organizations’ bring your own device (BYOD) policies permit employees to use their own computers and mobile devices on the corporate network. But even with a formal BYOD program in place, IT teams often lack visibility into the software and services that employees use on BYOD hardware, and it can be difficult to enforce IT security policies on employees’ personal devices.
But shadow IT isn’t always the result of employees acting alone—shadow IT applications are also adopted by teams. According to Gartner, 38% of technology purchases are managed, defined, and controlled by business leaders rather than IT. Teams want to adopt new cloud services, SaaS applications, and other information technology, but often feel the procurement processes implemented by the IT department and CIO are too burdensome or slow. So they evade IT to get the new technology they want. For example, a software development team might adopt a new integrated development environment without consulting the IT department, because the formal approval process would delay development and cause the company to miss a market opportunity.
Unsanctioned third-party software, apps and services are perhaps the most pervasive form of shadow IT. Common examples include:
Productivity apps such as Trello and Asana
Cloud storage, file-sharing, and document-editing applications such as Dropbox, Google Docs, Google Drive and Microsoft OneDrive
Communication and messaging apps including Skype, Slack, WhatsApp, Zoom, Signal, Telegram and personal email accounts
These cloud services and SaaS offerings are often easy to access, intuitive to use, and available free or at very low cost, enabling teams to quickly deploy them as needed. Often, employees bring these shadow IT applications to the workplace because they already use them in their personal lives. Employees may also be invited to use these services by customers, partners, or service providers—for example, it’s not uncommon for employees to join clients’ productivity apps to collaborate on projects.
Employees’ personal devices—smartphones, laptops, and storage devices such as USB drives and external hard drives—are another common source of shadow IT. Employees may use their devices to access, store, or transmit network resources remotely, or they may use these devices on-premises as part of a formal BYOD program. Either way, it is often difficult for IT departments to discover, monitor and manage these devices with traditional asset management systems.
While employees typically adopt shadow IT for its perceived benefits, shadow IT assets pose potential security risks to the organization. Those risks include:
Loss of IT visibility and control
Because the IT team is generally unaware of specific shadow IT assets, security vulnerabilities in these assets go unaddressed. According to the IBM Security Randori State of Attack Surface Management 2022 report, the average organization has 30% more exposed assets than its asset management programs have identified. End users or departmental teams may not understand the importance of updates, patching, configurations, permissions, and critical security and regulatory controls for these assets, further exacerbating the organization’s exposure.
Sensitive data may be stored on, accessed by, or transmitted through unsecured shadow IT devices and apps, putting the company at risk of data breaches or leaks. Data stored in shadow IT applications will not be caught during backups of officially sanctioned IT resources, making it hard to recover information after data loss. And shadow IT can also contribute to data inconsistency: when data is spread across multiple shadow IT assets without any centralized management, employees may be working with unofficial, invalid or outdated information.
Regulations like the Health Insurance Portability and Accountability Act, Payment Card Industry Data Security Standard, and the General Data Protection Regulation have stringent requirements for processing personally identifiable information. Shadow IT solutions spun up by employees and departments without compliance expertise may not meet these data security standards, leading to fines or legal action against the organization.
Shadow IT applications may not integrate easily with sanctioned IT infrastructure, obstructing workflows that rely on shared information or assets. The IT team is unlikely to account for shadow IT resources when introducing new sanctioned assets or provisioning IT infrastructure for a given department. As a result, the IT department may make changes to the network or network resources in ways that disrupt the functionality of the shadow IT assets teams rely on.
In the past, organizations often tried to mitigate these risks by banning shadow IT entirely. However, IT leaders have increasingly accepted shadow IT as an inevitability, and many have come to embrace the business benefits of shadow IT. Those benefits include:
Enabling teams to be more agile in responding to changes in the business landscape and the evolution of new technology
Allowing employees to use the best tools for their jobs
Streamlining IT operations by reducing the costs and resources required to procure new IT assets
To mitigate the risks of shadow IT without sacrificing these benefits, many organizations now aim to align shadow IT with standard IT security protocols rather than prohibit it outright. Toward that end, IT teams often implement cybersecurity technologies such as attack surface management tools, which continuously monitor an organization’s internet-facing IT assets to discover and identify shadow IT as it’s adopted. These shadow assets can then be evaluated for vulnerabilities and remediated.
Organizations may also use cloud asset security broker (CASB) software, which ensures secure connections between employees and any cloud assets they use, including known and unknown assets. CASBs can discover shadow cloud services and subject them to security measures like encryption, access control policies and malware detection.
Enhance your enterprise's resilience against uncertainty with IBM Security® comprehensive cybersecurity software.
Protect enterprise data across multiple environments, meet privacy regulations and simplify operational complexity.
Integrate controls, orchestrate workload deployment, and manage threats effectively for your hybrid and multicloud security program with IBM Security products and expertise.
Cybersecurity technology and best practices protect critical systems and sensitive information from an ever-growing volume of continually evolving threats.
Attack surface management helps organizations discover, prioritize and remediate vulnerabilities to cyberattack.
ITAM ensures that every asset is properly used, maintained, upgraded and disposed of at the end of its lifecycle.
Widespread hybrid cloud adoption and permanent remote workforce support have made it impossible to manage the enterprise attack surface. IBM Security Randori Recon uses a continuous, accurate discovery process to uncover shadow IT. Randori keeps you on target with fewer false positives, and improves your overall resiliency through streamlined workflows and integrations with your existing security ecosystem.