Shadow IT - What it is and what Risks are Lurking

What is Shadow IT?

The term “shadow IT” covers all types of software and hardware that are used in a company without the company's own IT department being informed of this use. Employees use technical solutions without official approval and therefore without internal management or control.

Important: Shadow IT is not necessarily malware. However, as the company has no control over software or hardware that is unknown to in-house IT, these software and hardware solutions can still pose a risk to the company's cyber security.

As more and more employees are now working remotely, i.e. are subject to less direct control, and at the same time numerous IT services are available as cloud services, the use of unauthorized IT solutions is now just a few clicks away for employees. According to a CORE Research report, the pressure to create quick solutions for remote workplaces across all industries during the coronavirus pandemic has strongly encouraged the increased use of shadow IT. But why do employees resort to such solutions?

Shadow IT – How Parallel Structures Form

In the best-case scenario, employees receive everything they need from their company to perform their work. In this ideal scenario, there is no reason for employees to use alternative software or hardware. In practice, however, several factors can encourage the use of shadow IT:

Inadequate IT Solutions 

Employees would like to use a specific function of a company tool that they expect, for example due to their private use of other similar tools (sharing files / sending links, etc.). However, they discover that the in-house solution does not support the desired function - or only in a very specific way. This is perceived by the employee as unnecessarily complicated and annoying.

Missing Tools 

One team comes to the conclusion that a specific tool (e.g. for project management) is needed. However, such a tool does not exist at company level and is not planned. The team therefore decides to purchase a common tool and work with it in the future in order to optimize internal collaboration - even without the knowledge of their own IT department.

Use of (Private) Tools Without Authorization

An employee uses a cloud service or one of many productivity apps privately. The files they have access to at work are also stored in their cloud. This is linked to their productivity app so that they can also make quick adjustments or record considerations for customer projects outside of work. However, the employee has never received official approval for this individual workflow.

Shadow IT is characterized by the fact that the employees who use these solutions usually do so for supposedly good reasons. They identify real or perceived stumbling blocks in their workflow and look for alternatives to what they see as a disadvantageous status quo. However, good intentions can all too often have negative consequences, especially in the IT sector.

Common Examples of Shadow IT

The transition from a company's approved IT infrastructure to shadow IT is often fluid. Here we present a number of further examples of how easily alternative IT systems can become part of the workflow

• Messenger Services
  Instead of using the company's internal communication tool, employees exchange information privately or conveniently via messengers such as WhatsApp, Telegram or Signal. This ranges from text conversations to sending project and customer-related files.

• Use of Personal Devices (BYOD)
  Because it's so convenient, employees install apps they use for work on their smartphones. However, if there is no central regulation in the form of a “bring-your-own-device” (BYOD) policy, numerous external clients suddenly have access to company data.

• Individual Subscriptions
  Individual departments (spontaneously) purchase SaaS services for the implementation of individual projects or activities because they seem appropriate and practical. The simultaneous use of many non-approved SaaS services is particularly widespread in IT.

The Risks of Shadow IT

If employees use software and hardware in the course of their work that IT is not aware of, this can lead to a variety of risk scenarios:

• Security Risks / Malware
  If employees use unauthorized third-party tools, these may be graphically attractive but technically poorly designed solutions - or directly malware. In any case, the use of such apps/systems poses an indirect or even direct threat to a company's sensitive business data.

• Compliance Issues / Data Protection
  Legal regulations such as the GDPR stipulate very precisely how personal data is to be stored and processed. Such requirements are (often unknowingly) circumvented by means of shadow IT and many alternative storage locations. However, this constitutes a compliance breach on the part of the company, which in turn can result in high fines.

• Non-uniform Systems / Licenses
  The more widespread the use of shadow IT in a company, the more “fragmented” its own IT landscape becomes. If five departments use six different tools for overlapping use cases, this can hinder data exchange, make correct licensing more difficult or even prevent uniform backups of critical files.

• Loss of Transparency
  Due to the large number of systems, tools and apps used internally, it is no longer possible for IT to understand where which data is located and whether it is complete. The longer such a shadow IT exists in parallel, the higher the probability that individual customer-specific information will be located exclusively in this parallel IT. This also makes it more difficult to abolish such structures, as there is a real risk of data loss.

• Risks for Business Continuity / IT Support
  Logically, your own IT department is not familiar in detail with technical solutions that are not even officially in use. If errors occur, data needs to be recovered or employees require support with technical issues, IT can only provide limited assistance. This results in disruptions to operations and even complete loss of data.

From the simple creation of parallel structures to the possibility of data loss due to a cyber attack - the risks associated with shadow IT are sometimes considerable. This is why companies need to identify such processes internally.

How Companies can Recognize Shadow IT 

It is in the nature of things that companies find it difficult to assess whether and to what extent shadow IT exists in their own company. However, there are some proven ways to identify it:

• Use Monitoring Tools
  Companies can use various tools to track data communication in the network. By analyzing network traffic or reviewing log files, it is often possible to uncover which (unauthorized) tools are also being used in the company.

• Use CASB
  The use of a Cloud Access Security Broker (CASB) is a good way to precisely control which applications should have access to your own cloud. This type of software can be used to allow or block access and categorize and protect company data according to its importance. Key features of a CASB system include basic protection against data loss (data loss prevention / DLP), control of access to and from cloud services and a clear overview of all activities in the network.

• Talk to Employees
  Many employees are not sufficiently aware of how their actions - even if they are well-intentioned - can damage the company. It therefore always makes sense to actively talk to employees and ask whether certain apps etc. are used for work or linked to Office services. 

  At the same time, there is a risk that employees may not even perceive a certain service/interface as problematic or may overlook/not specify it in a possible list. Consultation with employees is therefore important, but should only be one of several building blocks in the identification of shadow IT.

Involving employees in particular ensures that the measures taken to uncover any shadow IT in the company are not a surveillance measure, but serve the good of the company - and therefore the good of all employees.

Preventing Shadow IT – Best Practices 

After identifying unauthorized software or hardware, the next question is how such an IT parallel structure can be prevented in the company or how it can be brought under control in a meaningful way afterwards:

• Educate and Raise Awareness among Employees
  As already mentioned, it can be assumed that employees use external tools to the best of their knowledge and belief and are simply not aware of the associated risks. Companies can proactively educate employees about this as part of training courses, data protection workshops or similar processes and thus promote understanding and insight within the workforce.

• Introduction of Suitable Tools
  A common reason for the emergence of shadow IT is dissatisfaction with existing solutions. Companies should therefore provide user-friendly, flexible and powerful tools that meet the requirements of the specialist departments - such as cloud-based platforms and modern collaboration solutions. Close cooperation between the IT department and specialist departments is crucial here - from needs assessment to implementation.

• Automated IT Asset Management
  Companies require a comprehensive and regularly updated overview of all IT assets that are in use internally. In addition, the aforementioned CASB can also be used to identify all network activities that deviate from these “approved” activities. These are then logged and even proactively blocked if necessary. In simple terms, this provides the company with a “whitelist” of permitted software and hardware.

• Act According to the Zero-Trust Principle
  In addition to this “whitelist”, all other applications or IT structures are initially placed on a blanket “blacklist”. According to the zero-trust principle, employees and the apps they use only ever receive the minimum access and authorizations they need for their work. Such strict regulation with stringent access controls effectively prevents “accidental” compliance breaches.

• Define Clear IT Governance Guidelines
  Reliable governance structures are essential to prevent the formation of shadow IT. This includes binding guidelines on the selection, introduction and use of software as well as defined responsibilities. It must be clear to the IT department and all employees what form of IT structure is permitted in the company and what violates the guidelines. At the same time, these guidelines should be regularly reviewed and adapted if necessary.

What Advantages Shadow IT can Offer 

As mentioned at the beginning, shadow IT is not the same as malware. Likewise, many IT departments are now of the opinion that a parallel IT structure is not directly negative. 

After all, there are always reasons for using alternative software/hardware - be it the convenience of employees or the actual realization that a shared tool lacks a fundamentally important function, which hinders the workflow of a team.

In the latter example of shadow IT, employees notice a deficit and identify a solution at the same time - even if this solution is not officially legitimized. Nevertheless, these are important impulses from the organization that a future-oriented company should use to its advantage. 

One result could be, for example, that the tool previously used “under the table” is officially added to the list of assets used in the company. Or the use of the application is tolerated - albeit within the framework of strict compliance requirements. In this way, companies can safely minimize the real risks of shadow IT.