Shadow IT is any software, hardware or IT resource used on an enterprise network without the IT department’s approval and often without IT’s knowledge or oversight. Sharing work files on a personal Dropbox account or thumb drive, meeting on Skype when the company uses WebEx, starting a group Slack without IT approval—these are examples of shadow IT.

Shadow IT does not include malware or other malicious assets planted by hackers. It refers only to unsanctioned assets deployed by the network’s authorized end users.

End users and teams typically adopt shadow IT because they can start using it without waiting for IT approval, or because they feel it offers better functionality for their purposes than whatever alternative IT offers. But despite these benefits, shadow IT can pose significant security risks. Because the IT team is unaware of shadow IT, it doesn’t monitor these assets, and doesn’t those assets or address their vulnerabilities. Shadow IT is particularly prone to exploitation by hackers. According to Randori’s State of Attack Surface Management 2022 report, nearly 7 in 10 organizations have been compromised by shadow IT in the past year.

According to Cisco, 80 percent of company employees use shadow IT. Individual employees often adopt shadow IT for their convenience and productivity—they feel they can work more efficiently or effectively using their personal devices and preferred software, instead of the company’s sanctioned IT resources.

This has only increased with the consumerization of IT and, more recently, with the rise of remote work. Software-as-a-service (SaaS) enables anyone with a credit card and a bare minimum of technical knowledge to deploy sophisticated IT systems for collaboration, project management, content creation and more. Organizations’ bring your own device (BYOD) policies permit employees to use their own computers and mobile devices on the corporate network. But even with a formal BYOD program in place, IT teams often lack visibility into the software and services employees use on BYOD hardware, and it can be difficult to enforce IT security policies on employees’ personal devices.

But shadow IT isn’t always the result of employees acting alone—shadow IT applications are also adopted by teams. According to Gartner, 38 percent of technology purchases are managed, defined, and controlled by business leaders rather than IT. Teams want to adopt new cloud services, SaaS applications, and other information technology, but often feel the procurement processes implemented by the IT department and CIO are too onerous or slow. So they go around IT to get the new technology they want. For example, a software development team might adopt a new integrated development environment (IDE) without consulting the IT department, because the formal approval process would delay development and cause the company to miss a market opportunity.

Unsanctioned third-party software, apps and services are perhaps the most pervasive form of shadow IT. Common examples include:

• Productivity apps such as Trello and Asana

• Cloud storage, file-sharing, and document-editing applications such as Dropbox, Google Docs, Google Drive, and Microsoft OneDrive

• Communication and messaging apps including Skype, Slack, WhatsApp, Zoom, Signal, Telegram, as well as personal email accounts

These cloud services and SaaS offerings are often easy to access, intuitive to use, and available free or at very low cost, enabling teams to quickly deploy them as needed. Often, employees bring these shadow IT applications to the workplace because they already use them in their personal lives. Employees may also be invited to use these services by customers, partners, or service providers — e.g., it’s not uncommon for employees to join clients’ productivity apps to collaborate on projects.

Employees’ personal devices—smartphones, laptops, and storage devices such as USB drives and external hard drives—are another common source of shadow IT. Employees may use their devices to access, store, or transmit network resources remotely, or they may use these devices on-premises as part of a formal BYOD program. Either way, it is often difficult for IT departments to discover, monitor and manage these devices with traditional asset management systems.

While employees typically adopt shadow IT for its perceived benefits, shadow IT assets pose potential security risks to the organization. Those risks include:

• Loss of IT visibility and control: Because the IT team is generally unaware of specific shadow IT assets, security vulnerabilities in these assets go unaddressed. According to Randori’s State of Attack Surface Management 2022 report, the average organization has 30 percent more exposed assets than its asset management programs have identified. End users or departmental teams may not understand the importance of updates, patching, configurations, permissions, and critical security and regulatory controls for these assets, further exacerbating the organization’s exposure.

• Data insecurity: Sensitive data may be stored on, accessed by, or transmitted through unsecured shadow IT devices and apps, putting the company at risk of data breaches or leaks. Data stored in shadow IT applications will not be caught during backups of officially sanctioned IT resources, making it hard to recover information after data loss. And shadow IT can also contribute to data inconsistency: When data is spread across multiple shadow IT assets without any centralized management, employees may be working with unofficial, invalid or outdated information.

• Compliance issues: Regulations like the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and the General Data Protection Regulation (GDPR) have stringent requirements for processing personally identifiable information (PII). Shadow IT solutions spun up by employees and departments without compliance expertise may not meet these data security standards, leading to fines or legal action against the organization.

• Business inefficiencies: Shadow IT applications may not integrate easily with sanctioned IT infrastructure, obstructing workflows that rely on shared information or assets. The IT team is unlikely to account for shadow IT resources when introducing new sanctioned assets or provisioning IT infrastructure for a given department. As a result, the IT department may make changes to the network or network resources in ways that disrupt the functionality of the shadow IT assets teams rely on.

In the past, organizations often tried to mitigate these risks by banning shadow IT entirely. However, IT leaders have increasingly accepted shadow IT as an inevitability, and many have come to embrace the business benefits of shadow IT. Those benefits include:

• Enabling teams to be more agile in responding to changes in the business landscape and the evolution of new technology

• Allowing employees to use the best tools for their jobs

• Streamlining IT operations by reducing the costs and resources required to procure new IT assets

To mitigate the risks of shadow IT without sacrificing these benefits, many organizations now aim to align shadow IT with standard IT security protocols rather than prohibit it outright. Toward that end, IT teams often implement cybersecurity technologies such as attack surface management (ASM) tools, which continuously monitor an organization’s internet-facing IT assets to discover and identify shadow IT as it’s adopted. These shadow assets can then be evaluated for vulnerabilities and remediated. 

Organizations may also use cloud asset security broker (CASB) software, which ensures secure connections between employees and any cloud assets they use, including known and unknown assets. CASBs can discover shadow cloud services and subject them to security measures like encryption, access control policies, and malware detection.