What Is Shadow IT, and Why Is It Such a Problem?

March 24, 2023 • Zachary Amos


Cybersecurity threats can come from anywhere. Hackers and other cybercriminals may take the spotlight, but vulnerabilities can come from inside, too, and not just from malicious insiders. As the growing shadow IT trend reveals, even well-meaning, good employees can put their organizations at risk.

What Is Shadow IT?

Shadow IT refers to any hardware or software employees use that IT or security teams don’t know about. Any device, app or service people use for work without informing or getting approval from the IT department falls into this category.

Most of the time, these tools aren’t inherently dangerous. They’re often things like productivity apps or messaging platforms that the company may approve if it knew about them. Similarly, people normally don’t use them specifically to break the rules. It’s often a matter of convenience.

Shadow IT isn’t a new phenomenon, but it’s become more common with the rise of software-as-a-service (SaaS) and remote work. Organizations today use 110 different SaaS apps on average, and IT departments say that knowing what everything people use is a challenge amid this trend.

Where Does Shadow IT Come From?

In many cases, shadow IT comes from employees trying to find an easier or faster way to do their jobs. If you don’t like a tool your company uses, it’s fairly easy to download and use an alternative you like more. Slow, complicated or limited-use apps can be frustrating, so when employees encounter them, many start using a different app instead to make work less stressful.

The rise of remote work has helped shadow IT grow, too. Many companies now let people work from home because they’re often more productive that way, but it’s harder to monitor remote employees. When you’re working from home on a personal device, it’s easier to use unsanctioned hardware or software without anyone knowing.

Security Risks of Shadow IT

Despite these employees’ good intentions, shadow IT presents a significant security risk. Some apps may carry serious security vulnerabilities or malicious code. Even if these tools are free of malware or other dangers, you can’t secure what you don’t know about.

Unsanctioned apps could access sensitive data or act as a gateway to more mission-critical systems without IT teams realizing it. They may also be incompatible with the security tools the company uses, leaving them vulnerable to attack. If security teams don’t know about them, they can’t enforce things like updates and backups, either.

These programs or devices could also use up network bandwidth that other, approved tools need. That would make it harder for everyone else, including security workers, to perform their jobs.

What Can You Do to Stay Safe?

The first step to protecting against shadow IT is to address why employees use it. Company leaders should talk with workers to see what they need and if any current tools make their jobs unnecessarily hard. They can then adjust to make workflows and apps more convenient. When it’s easy to do your job with the tools provided, there’s no reason to look for alternatives.

IT teams can also use automated cybersecurity tools to discover new devices and software on company networks. As they uncover shadow IT, they can take the necessary steps to secure it. 

In some cases, the most secure thing to do is to remove and ban these apps or devices from company servers. But in others, you may want to incorporate it into normal, sanctioned operations. If the tool has no inherent vulnerabilities, it may be best to adjust the organization’s security infrastructure to include it. Let workers keep using it, but secure it so they can do so safely.

Security Needs Visibility

If you want to be fully secure, you need to know what’s on your network. Emphasizing network transparency will help uncover shadow IT and related risks, making it easier to patch vulnerabilities and stay safe.

Unknown and unsanctioned IT tools can present major risks, but they also show where the company can improve. If you can adapt to workers’ needs and make things more convenient for them, you can ensure they work safely.