Shadow IT is a growing problem for organizations of all sizes. It's the unauthorized use of any digital service or device that is not formally approved and supported by the IT department.
According to Cisco, 80 percent of company employees use shadow IT. Individual employees often adopt shadow IT for their convenience and productivity—they feel they can work more efficiently or effectively using their personal devices and preferred software, instead of the company’s sanctioned IT resources. Some of the most common reasons include:
-
To get around slow or unresponsive corporate IT systems.
-
To access applications or data that are not available on corporate systems.
-
To experiment with new technologies.
-
To avoid IT policies that they find restrictive.
-
To save time or money.
Some of the most common examples of shadow IT include productivity apps like Trello and Asana, cloud storage and file-sharing apps like Dropbox, Google Docs, and Microsoft OneDrive, and communication and messaging apps like Skype, Slack, WhatsApp, Zoom, Signal, and Telegram.
Whatever the reason, shadow IT can pose a serious security risk to organizations. Shadow IT devices and applications are often not subject to the same security controls as corporate systems. This means that they are more vulnerable to attack, and any data stored on them is at risk. In addition, shadow IT can lead to compliance violations and malware infections. Shadow IT is particularly prone to exploitation by hackers. According to Randori's State of Attack Surface Management 2022 report, nearly 7 in 10 organizations have been compromised by shadow IT in 2021.
Shadow IT can pose a number of risks to organizations, including:
-
Data security: Shadow IT devices and applications are often not subject to the same security controls as corporate systems. This means that they are more vulnerable to attack, and any data stored on them is at risk.
-
Compliance violations: Shadow IT can lead to compliance violations, as it can expose sensitive data to unauthorized access. This can result in fines, penalties, and damage to the organization's reputation.
-
Malware infections: Shadow IT devices and applications are more likely to be infected with malware than corporate systems. This can lead to data loss, system outages, and financial losses.
-
Increased costs: Shadow IT can lead to increased costs for organizations, as they may have to pay for additional security measures to protect unauthorized devices and applications.
-
Reduced productivity: Shadow IT can lead to reduced productivity, as employees may be spending time setting up and using unauthorized devices and applications.
What can organizations do mitigate the risks of shadow IT?
Here are a few tips:
-
Create a shadow IT policy. This policy should clearly define what constitutes shadow IT and outline the risks and consequences of using unauthorized devices and applications.
-
Educate employees about shadow IT. Make sure that employees are aware of the risks of shadow IT and the importance of using only authorized devices and applications for work.
-
Implement technology solutions. There are a number of technology solutions that can help organizations to manage shadow IT, such as cloud access security brokers (CASBs) and mobile device management (MDM) solutions.
-
Conduct regular security audits. Security audits can help organizations to identify and address shadow IT risks. By taking these steps, organizations can help to mitigate the risks of shadow IT and protect their data and systems from attack.
But what about the future? Is shadow IT going to go away?
Probably not. In fact, it's likely to continue to grow in the future, as employees become more comfortable using personal devices and cloud-based applications for work. However, organizations can take steps to mitigate the risks of shadow IT by creating a shadow IT policy, educating employees about the risks, and implementing technology solutions. By doing so, organizations can help to protect their data and systems from attack.
So, what does this mean for you?
If you're an employee, it's important to be aware of the risks of shadow IT. If you're an IT professional, it's important to have a plan in place to mitigate the risks of shadow IT. And if you're an organization, it's important to take steps to manage shadow IT and protect your data and systems.
