Woman looking at her phone screen as she downloads unauthorized software from a cloud service.

Shadow IT

Shadow IT represents the hidden side of cyber security where employees use software, hardware, or cloud services behind the scenes, without IT’s approval, inadvertently paving the way for cybercriminals.

What is shadow IT in cyber security?

Shadow IT in cyber security is something most employees have come across or at least have been tempted to. It’s using unauthorized software, hardware, or IT resources within an enterprise network.  

This practice is similar to using secret passages in a castle. Regardless of how complex the layout of the castle is and how many guards protect its doors, if someone on the inside opens unknown passages to outside enemies without the guards’ knowledge, they can’t protect the castle effectively. An organization is similar to a castle, with the IT team being its guards. When employees use shadow IT, they bypass the cyber protocols intended to protect the system and provide attackers with an entry point that is unsupervised and unprotected by its guards – the IT team.  

As people become more tech-savvy, shadow IT becomes a rising problem for organizations. According to predictions by Gartner experts, by 2027, 75% of employees will acquire, modify, or create technology outside IT’s visibility, which was 41% in 2022. However, unlike most cyber security risks that come from the malicious intentions of hackers, shadow IT comes from the inside, with employees using it with the intent of doing good for the organization. As well-intentioned as it may be, shadow IT leaves organizations vulnerable to security breaches, data leaks, and unauthorized access.

A computer screen displaying several authorized applications alongside one illicit application, symbolizing the concept of Shadow IT.

Main causes: Why shadow IT happens

The phrase “work smarter, not harder” is perhaps the inception of shadow IT. Why? Because in an effort to be more efficient, employees unsuspectingly rely on shadow IT tools they download and install themselves. They often find unofficial tools that work better or help more than IT-approved ones and use them to complete their tasks easier. And while they may think they have unlocked the key to productivity, they are also giving hackers the gateway they need to gain unauthorized access to their organization’s systems.

You may wonder why someone would not request approval of such applications to comply with the company’s policies. What usually happens, especially in large organizations, is that requesting approval for a new app is so lengthy and cumbersome that employees do not get answers fast enough. As a result, they may take it upon themselves to find a faster, more efficient way of getting things done without getting stuck in the administrative process.

As the trend of remote work increases, more employees rely on personal devices that may contain unauthorized software. If the IT department is unaware that someone is using unauthorized software, they can’t protect the user’s device and systems from attacks, putting the entire organization at risk of a hack. Similarly, the Bring Your Own Device (BYOD) policies also give attackers a chance to access a system that is easier to hack, such as a personal device, and then use this vulnerability to access the more secure network of the company.

Types of shadow IT

Shadow IT examples come in many shapes and forms. It’s not only downloading an unknown app or add-on, but it can also be something as innocent as connecting a smartwatch to your smartphone that is connected to your organization’s network. Here are some common types of Shadow IT and how they can grant access to a network.

Types of shadow IT: cloud services, hardware, shadow software, OAuth protocol.

Cloud services

Cloud services are the most common type of shadow IT. They may seem like an innocent app to collaborate with the team or share files between departments, but they can cause significant risks for the organization. Some of the most common cloud services used in shadow IT include Dropbox, Google Drive, and OneDrive to store and share files and other SaaS services, such as Zoom, Shopify, Salesforce, and Zendesk.

Hardware

Aside from personal laptops, tablets, and computers, other shadow IT examples include IoT devices, USBs, smartwatches, server devices, smartphones, and even speakerphones. When you bring any personal device to work, your account settings may automatically connect them to the organization’s network. These devices don’t have the proper security installed, nor does the IT department monitor them, so attackers have an easy gateway to the entire network through them.

Shadow software

Some utilities like password managers, VPN clients, remote access apps like TeamViewer and AnyDesk, and messaging apps like WhatsApp and Telegram pose a threat to the system when responsible IT professionals do not install them. Collaboration tools like Slack, Trello, and Asana can also be an entry point for attackers if not approved by the IT department.

Infobox alerting about the risks of shadow software.

The IT team doesn’t get a free pass when it comes to shadow IT, either. While they are less likely to use something that can harm the organization, shadow IT may pose an even greater risk because IT professionals have privileged access to important resources. However, shadow software is not only off-the-shelf software developed by a third-party organization. IT professionals have the knowledge to go beyond that and develop new software, which is a very valuable skill but can also put the organization at risk if the in-house built software is not approved by the security team.

OAuth protocol

A frequent manifestation of Shadow IT is the granting of extensive OAuth permissions to third-party applications by users. OAuth is a helpful intermediary because it allows applications to access user data without sharing credentials. However, accepting all those pop-ups asking you to connect or authorize access to other apps allows third-party applications to collect and store your data. Such actions, often undertaken without realizing the implications, can unintentionally expose sensitive organizational data or breach data protection and privacy regulations like GDPR.

While OAuth protocols and other types of shadow IT pose obvious dangers to your organization, we cannot ignore how they can sometimes be a starting point for employees finding new and better ways of doing their work, making them feel more empowered and improving problem-solving. Some shadow IT may also benefit the organization as a whole and enhance productivity in different sectors. However, when it’s not supervised by knowledgeable IT professionals, the risks of shadow IT can outweigh its benefits.

What are the risks of shadow IT?

Shadow IT is basically an invitation for hacks. Regardless of how robust and strict cyber rules are within an organization, attackers will take advantage of even the slightest opportunity to gain unauthorized access to the organization’s network. Once they do , the consequences of the attack can be serious. Some of the risks of shadow IT include the following:  

  • Lack of oversight and control: When the IT department is unaware of the use of shadow IT, they cannot enforce security policies, monitor threats, or identify potential vulnerabilities, putting data and systems at risk. 
  • Data loss: Unauthorized software doesn’t have the correct security measures to protect against attacks, making sensitive data easier to access and vulnerable to data loss or leakage. Moreover, if the data from shadow IT assets gets lost, it won’t be accessible through the company’s backup.
  • Outdated information: Shadow IT assets lack centralized control, so they may allow you to work on data that has not been corrected or updated by the organization.
  • Increased attack surface: Every shadow IT hardware or software provides a potential entry point for cybercriminals, increasing the possibilities of suffering a cyberattack.  
  • Compatibility problems: Shadow IT can create compatibility issues with the current systems and organization’s IT infrastructure. The lack of integration with the rest of the systems can result in gaps in security controls, making it difficult to respond effectively to security incidents or vulnerabilities. 
  • Compliance issues: By relying on unauthorized hardware and software, employees and organizations may unintentionally violate data protection, privacy, GDPR, or other regulatory requirements, resulting in legal and reputational consequences.
  • Financial expenses: When employees use shadow IT, they may rely on solutions the company is already using (same or similar ones), duplicating the expenses for the company. Additionally, if an actual attack happens due to the use of shadow IT, the organization must spend extra time and resources to handle the crisis.  
  • Inefficient resource allocation: The use of shadow IT software and hardware complicates the process of sharing information between departments, resulting in productivity losses and decreased efficiency.

How AI adoption fuels the growth of shadow IT

With AI becoming increasingly popular, the concern for shadow IT becomes even more valid. To find more time-efficient and creative solutions, both employees and management experiment with various AI tools. When this happens without the knowledge or permission of the IT team, it puts the entire network and data at risk.  

AI is a new topic for everyone, including IT professionals, so there aren’t many protocols for implementing it. And the speed at which AI develops is often faster than what the IT administration can keep up with, so many organizations are left unprotected against suspicious and unreliable AI tools. This has caused many organizations to ban the use of AI, which often has the opposite effect as employees look for new and riskier ways of incorporating AI into their work. Plus, banning AI makes organizations lose all the potential benefits it can bring.

To reach a middle ground, organizations should find ways to allow employees to use AI tools that will improve their productivity while providing a safe-to-use alternative. This can be done in several ways, which we cover below.

How to prevent shadow IT

Most shadow IT use is not malicious and is intended to improve work efficiency. While it can put the organization at risk of unauthorized access, chastising employees who try to find better ways to do their work can result in stagnation and unwillingness to grow and improve. In fact, curious employees who are looking for ways to be more productive should be encouraged to do so but only with proper guidance from the IT team.  

Below are several ways organizations can mitigate the risk of shadow IT while encouraging innovation.  

  • Understand user needs: By understanding what employees need, IT teams can provide better solutions and reduce the motivation for Shadow IT. Why are employees turning to unapproved assets? What do the current tools lack?  
  • Update IT policies: Lenient and welcoming IT policies combined with employee education are the ideal way to encourage innovation while minimizing the risks of shadow IT use. Organizations need to have clear policies and provide guidance about how employees can request new tech and include it in their everyday work without the risk that comes with shadow IT.
Infobox explaining what a shadow IT policy is.
  • Create a “fast-track” project type: Aside from IT policies for regular inclusion of new software and hardware, it’s a good idea to have an alternative path with a streamlined process. This way, employees will have proper IT guidance for including different tools in their work without having to do it at their own risk.
  • Implement a CASB: A Cloud Access Security Broker (CASB) is a cloud-based tool that sits between users and their cloud service to ensure the exchange meets the organization’s cybersecurity policies. It can also provide data protection policies, monitor users, and identify unusual activities.
  • Scan expense reports: Security leaders can oversee the activities in an organization and cooperate with the finance department to scan expense reports and other documents to spot spending related to shadow IT. This is especially useful in uncovering shadow IT since it helps discover reimbursement requests for tech spending that is too small to go through the procurement process.
  • Provide employee awareness training: Employees are often unaware of the risks associated with shadow IT and need specialized training about the importance of adhering to approved technology practices.

How SoSafe can help companies manage the risk of shadow IT

In the era of technology peaks, organizations must understand the importance of shadow IT and how it impacts their day-to-day work. Organizations should find ways of supporting creativity and exploration while protecting their resources. Developing a well-made IT shadow policy and keeping the communication flow open between your employees and the cyber security team, coupled with continuous and relevant training, will lead them to make more secure choices.  

SoSafe’s Awareness Training Platform includes a comprehensive shadow IT e-learning module that can give your employees the knowledge and tools to protect your organization from unwanted access. Through interactive learning and gamification, your employees will learn to detect and prevent the unauthorized use of software, hardware, and applications and the consequences of using them. Upon completion, users will know where to find reliable software and hardware and how to use it without compromising your company’s resources.  

Implementing the right awareness training methods will ultimately safeguard your data, ensure consistency across different departments, and avoid compatibility issues. Your strongest line of defense, your employees, will feel empowered and encouraged to explore the novelties of the online world while meeting all safety standards upheld by your organization.  

Do you want to stay ahead of the cyber game?

Sign up for our newsletter to receive the latest cyber security articles, events, and resources. No spam, only content that truly matters.

Newsletter visual