What Is Shadow IT?
Shadow IT is any software, service, device, or hardware used by employees without the knowledge or approval of IT teams. According to recent survey data, 57% of small and midsize businesses have discovered Shadow IT deployments on their network; 76% of SMBs said these deployments posed "moderate to severe" cybersecurity threats.
In this piece, we'll break down the basics of shadow technology deployments, examine some top risks and challenges, explore potential benefits, and offer practical advice for detecting and managing Shadow IT at scale.
Understanding Shadow IT
Before companies can effectively manage, monitor, and (if necessary) mitigate the impacts of Shadow IT, they need a solid understanding of what shadow IT is, why it happens, and how it shows up in day-to-day operations.
Definition of Shadow IT
Shadow IT is the use of any technology not expressly approved and monitored by IT teams. Software-as-a-service (SaaS) solutions are a popular example: Staff frustrated with existing collaboration or connectivity tools may seek out free online alternatives that help streamline their workflow.
In some cases, they don't consider the impact of outside applications on internal networks or data protection practices and simply forget to inform IT. In other instances, employees purposefully avoid informing IT so they can keep using the application of their choice.
Common causes of Shadow IT
The primary causes of Shadow IT are the democratization of technology tools and the convenience offered by these solutions.
Driven in large part by the rapid adoption of cloud and mobile solutions, the democratization of technology has created an application-rich environment that offers a host of options for staff looking to streamline processes or boost productivity. Many of these solutions are designed to improve existing processes or provide particular functions — if approved IT tools don't offer the same benefits, Shadow IT can fill the gap.
Examples of Shadow IT in organizations
Employees often deploy shadow IT solutions to increase productivity, enhance ease of use, or improve collaboration and communication.
Increased productivity
Applications approved by IT may come with cumbersome login or authentication processes, or may not include features and functions that staff need to complete key tasks. Consider a graphic designer given a set of approved tools that work well on desktops but perform poorly (or don't load at all) on laptops or mobile devices. To ensure work gets completed on time, staff may download the apps they need without IT permission.
Enhanced ease of use
The rapid rise of consumerized cloud applications such as video and music streaming services, file storage, and social media has made ease of use a top priority for staff. If apps don't work as intended, or if they're needlessly complicated or cumbersome, employees will simply stop using them and download more accessible alternatives.
This is a common challenge when companies deploy new software solutions, such as CRM or ERP tools. Even if these solutions offer superior functionality, they won't get used if they're more difficult to use than familiar tools.
Improved collaboration and communication
If approved tools don't let staff easily connect and communicate about ongoing projects or new concerns, they'll find other applications that enable collaboration. As a result, IT teams can find themselves facing shadow IT environments that span multiple toolsets across multiple departments.
Risks and Challenges
While Shadow IT offers benefits for employees, it poses significant risks for organizations. Consider a free SaaS solution that helps staff manage file storage. If malicious actors compromise this application, or if the tool itself contains malware, critical business data may be at risk. If IT teams don't know who's using the app or what data has been stored, it can take longer to identify and resolve any security issues.
Security risks associated with Shadow IT
There are several common security risks associated with Shadow IT, including:
Compromised efficiency
If apps are compute or bandwidth-heavy, they may negatively impact IT performance across the organization.
Compliance violations
If users share or store data in unauthorized apps, it may violate federal, state, or industry compliance regulations.
Critical data loss
If Shadow IT apps are compromised by malicious actors, businesses could lose critical financial, operational, or personnel data.
Compliance and data privacy challenges
Two of the biggest challenges with Shadow IT are compliance and data privacy. This is because shadow apps are often deployed by employees on their personal devices, which are then connected to corporate networks.
Consider a staff member working remotely who connects with their mobile device and downloads an HR document into an unapproved cloud storage application. If this application is compromised and the data is stolen, businesses may be in violation of data privacy regulations, in turn leading to monetary fines or operational penalties.
Impact on organizational efficiency and productivity
Shadow IT applications don't exist in a vacuum. Whether downloaded directly onto user devices or only accessed in the cloud, these apps can have significant impacts on network performance, in turn impacting efficiency and productivity. For example, a cloud-based productivity app being used by multiple departments may require large amounts of network bandwidth, in turn reducing the performance of other mission-critical applications.
Benefits and Opportunities
Employees don't use Shadow IT to cause problems for technology teams. Instead, they're looking for ways to improve efficiency and boost productivity. If they know that IT approval processes take weeks or months — or are worried that their application suggestions will be rejected out of hand — Shadow IT is an appealing alternative.
Despite its cloak-and-dagger delivery, there are potential benefits and opportunities for companies if they embrace Shadow IT.
Potential benefits of embracing Shadow IT
Possible benefits of leveraging Shadow IT include improved employee engagement, enhanced visibility, and reduced costs.
Improved employee engagement
If staff have access to apps that help them get their jobs done and easily communicate with other employees, they're more likely to be engaged at work.
Enhanced visibility
Embracing Shadow IT lets teams open lines of communication with staff. Rather than trying to hide apps or services, employees may ask for help setting up new tools or finding software alternatives. As a result, IT departments gain visibility into exactly what's on their network and how it impacts operations.
Reduced costs
Trying to chase down IT issues tied to shadow apps can be costly and time-consuming. For example, unknown applications may be causing performance problems with approved services, leading teams to chase symptoms rather than root causes. A full understanding of IT environments helps companies reduce total spend.
Enabling innovation and agility
Making space for Shadow IT can also help enable innovation and agility. By allowing staff to select the applications based on needed functions rather than IT approval, companies can reduce the time staff spend fighting with apps to perform specific tasks or switching between software solutions to accomplish a single task.
Harnessing employee expertise and creativity
Staff often have creative approaches to solving problems that IT may not have considered. For example, a front-line service staff member might have great ideas for apps that can help improve customer satisfaction. IT teams, meanwhile, may be working from a list of vetted applications that are secure but offer limited functionality. By leveraging employee expertise, teams can evaluate alternative apps. Even if full deployment isn't possible, teams may be able to find a compromise that streamlines tasks without compromising security.
Detecting and Managing Shadow IT
The nature of Shadow IT makes it difficult to manage. For example, staff may install unapproved applications on their personal devices, and then use these devices at work to store or transfer data. Or, employees may leverage online solutions that don't require download and installation but are instead used in-browser. In both cases, IT teams may not be aware of shadow IT deployments unless staff inadvertently reveal their use or network issues emerge.
Methods to detect and monitor Shadow IT
There are several ways that companies can detect and monitor Shadow IT. First is deploying a comprehensive network monitoring solution capable of detecting and reporting on all applications used across corporate networks — not just those approved by IT.
It's also critical to bring employees into the conversation. This starts with security training. IT staff should regularly meet with staff and provide best practices for effective security. These include not using personal devices to send or receive critical information, reporting any potential data breaches or IT threats, and disclosing the use of any unsanctioned technology.
Implementing a Shadow IT policy
To effectively manage Shadow IT, businesses need to create and implement clear-cut policies. Staff need to know what they're permitted to do, what they need to avoid, and what happens if they break the rules. The ideal Shadow IT policy for your organization depends on your current application stack, how many shadow IT apps are in use, and if existing toolsets are getting the job done.
The first step in creating a Shadow IT policy is discovering what apps are on your network, who's using these applications, and how they impact network performance. With an app inventory in hand, IT teams can assess each application individually to assess both benefits and risks.
Equipped with this information, teams should sit down with staff members and draft Shadow IT policies that provide a balance of access and protection. While it may be tempting to implement a full ban on all unapproved solutions, this typically makes the problem worse, not better, since staff will keep using tools that help them get their jobs done but simply not tell IT.
Instead, businesses are better served by creating policies that encourage staff to bring new app suggestions directly to IT. Technology teams then evaluate these apps for approval. If implementation risks outweigh the benefits, employees and IT should work together to find a middle ground.
Effective Shadow IT policies should also have several iron-clad rules that help mitigate potential risks. For example, the policy should detail consequences for staff who deploy apps after being told they are too risky. First offenses might come with a reminder and a warning, while second offenses could require additional training. If problems persist, policies should lay out the process of employee permissions being revoked, staff being reprimanded, and if the issue cannot be resolved, terminated.
Strategies to address and manage Shadow IT risks
Effectively addressing and managing Shadow IT risks requires a combination of processes and people.
From a process perspective, IT teams need to discover and evaluate all Shadow IT apps and services being used on corporate networks. When it comes to people, IT must consider how Shadow IT policies impact operations day-to-day. While a complete ban on Shadow IT services may initially lower the number of unapproved apps, the volume of unsanctioned services will quickly grow as staff find new ways to avoid detection.
LastPass Solutions for Shadow IT
LastPass can help companies reduce their Shadow IT risk with secure password management.
Introduction to LastPass as a secure password management solution
The LastPass password manager does the work of creating, remembering, and filling in passwords. All passwords are stored in an encrypted vault, and LastPass can auto-generate strong passwords for users to avoid the risk of easy-to-guess or reused passwords.
How LastPass helps organizations mitigate Shadow IT risks
If malicious actors compromise Shadow IT apps — or are pieces of malware masquerading as legitimate tools — attackers could steal login and password data from users, and then use this data to access business networks. With LastPass, all passwords are securely stored and encrypted, meaning that one compromised Shadow IT app won't lead to complete network exposure. In addition, LastPass offers Dark Web monitoring to detect the use of stolen credentials.
Integration with existing IT infrastructure and workflows
LastPass solutions easily integrate with existing IT processes. This means teams don't have to spend time and effort configuring new environments and potentially creating new security risks. Instead, they can seamlessly deploy LastPass solutions to bolster network protection.
Shining a light on Shadow IT
It's impossible to eliminate Shadow IT. Instead, companies need to take a collaborative approach to managing and mitigating the risks of unapproved applications.
By working with staff to identify safe applications, creating policies to regulate their deployment, ensuring that employees receive regular training in IT risks, and deploying tools such as secure password storage from LastPass, businesses can shine a light on Shadow IT.