What is Shadow IT - And How You Can Control It

By Corey Shields | September 13, 2021
Corey is the Digital Marketing Manager at Ntiva, and brings with him over a decade of working in the information technology and services industry.

In the past, IT departments were able to control almost all technology decisions, along with who was allowed to use what application or service.

But then came the cloud. And mobile devices. And users discovered that in many cases, it was a lot faster and easier to download their own applications and services, as opposed to waiting for their IT department to source, implement and approve the latest and greatest.

The shadow IT phenomenon was born.

What Is Shadow IT?

Shadow IT is the use of Information Technology-related hardware, software, infrastructure or services by an individual, team or department within an organization without the knowledge of the IT department or security group within the organization.

Shadow IT is also called underground IT, rogue IT, embedded IT, fake IT, stealth IT, feral IT and client IT.


Shadow IT Quote


What Are Some Examples of Shadow IT?

Shadow IT comes in a variety of flavors, many of them enabled by the rise in cloud computing and personal devices.

Shadow IT Example 1: Hardware

An employee is frequently on the road, visiting clients and having to work from remote locations. The company-supplied laptop is old and slow. The employee owns a newer, faster laptop, and uses this personal device to conduct company business without the knowledge or permission of the company IT department.

Shadow IT Example 2: Software

A small team spends a lot of its time on video conference calls. These calls are typically frustrating because the video conferencing software that the company supplies doesn’t have a chat feature, doesn’t record to the cloud and the audio quality isn’t the best. During a call, they decide to get around these shortcomings by signing up for a better video conferencing tool … but they don’t think to let IT know.

Shadow IT Example 3: Infrastructure

A software development team is under pressure to launch a product within two months. They cannot wait weeks for their IT department to supply the servers, networking equipment and IT services, so they sign a contract with a cloud services provider, who has them up and running in hours.

Shadow IT Example 4: Services

An employee wants to be accessible to suppliers 24/7, so he gives them his personal email address and adds them to the chat application on his phone, where they exchange and discuss quotes, bids and technical documentation outside of business hours.

[insert graphic stat callout: Roughly 80% of workers admit to using unsanctioned applications at work without IT approval (Source: McAfee).]

As you can imagine, these outside solutions can cause significant issues with security, performance and even operations. But before we dive into the repercussions of shadow IT, let’s look at its causes.


What Causes Shadow IT?

Shadow IT is a complex problem that has multiple causes. Some of these causes are related to technology, and others are related to policies and procedures. Here are the top reasons that individuals, teams and departments look for IT solutions outside of their IT department.

IT takes too long to approve requests: Business moves at a blistering pace these days, and individuals and teams with crushing deadlines won’t wait for IT departments that take too long to process and approve requests for hardware, software and IT services.

Current IT resources are inadequate: When the computers and software applications that IT supplies are unreliable, slow, or unable to handle today’s business tasks, employees look elsewhere for their own solutions.

Current applications are too complex: Some employees have been spoiled by the seamless experiences they enjoy when using popular consumer platforms, such as Netflix, Uber and Airbnb. When they are required to use corporate apps that are complex and anything but intuitive, and when they discover that free consumer apps do the job just as well—but faster and more easily—they switch (without telling anyone).

Outside stakeholders are using incompatible technology: Employees need to have a seamless experience when sharing files with prospects, clients, vendors and suppliers. If any of these outside groups are using a technology that the employee is not allowed to use for work (a popular messaging app, for example), then the employee will feel pressured to use the app anyway.

<<Download the Ntiva Guide to Remote Work Security>>


What Are the Business Risks of Shadow IT?

Shadow IT List

Shadow IT poses a number of risks to businesses large and small.

  • Shadow IT compromises security: Each unsanctioned device or application removes an important layer of the security blanket and increases the risk of compromise. This is even more important in highly regulated industries. For example, what if a fired employee is not removed from a team’s group chat until weeks after they’ve gone to work for a competitor?

  • Shadow IT compromises compliance: Your organization is subject to regulations that govern the collection, storage, transmission and use of sensitive data. These regulations set minimum standards for any hardware or software that handles this data. Employees that use shadow IT resources risk putting your organization out of compliance with these regulations.

  • Shadow IT hinders configuration & patch management: Your IT department has a configuration management database that it uses to ensure that all corporate devices are configured correctly and kept up to date. Shadow IT introduces hardware and applications to corporate networks that your IT department is unaware of, and therefore cannot manage.

  • Shadow IT compromises data recovery: Shadow IT resources, by definition, are not included in your organization’s backup and recovery strategy. Sensitive data stored on Shadow IT devices is never backed up. In the event of theft or disaster, that sensitive data gets lost.

  • Shadow IT disrupts productivity: Is the updated file from the client located in your company’s own data files? Or is it in an employee’s personal email attachments? Or perhaps it’s in a text message…somewhere. Shadow IT makes it more difficult to keep track of files, which can result in bottlenecks and frustration.


How Should You Control Shadow IT?

Shadow IT is hard to eliminate.

But it is something that you can reduce and even control.

Your natural instinct might be to clamp down completely on shadow IT. But remember that shadow IT is often a symptom of unmet needs. So, instead of blocking employees from using external hardware and apps, conduct an audit first to find out who is using what—and why.

You’ll likely find duplicated technologies, cybersecurity risks, inefficiencies, and an overall loss of a strategic IT roadmap. This discovery can be a blessing, helping you identify where the most urgent pain points are for users … and where your IT roadmap needs to get back on track

From there, your organization can set some priorities. For example, shadow IT might be permitted for things like personal productivity tools like calendars or video call platforms (as long as no files are shared), but not for mission-critical applications or services. Or, you may decide to clamp down on shadow IT altogether.

Either way, consider the following best practices for reducing the odds of employees going rogue with their IT:

  • Reduce evaluation times for new technology requests
  • Embrace the cloud to speed up implementation time and reduce costs
  • Stay ahead of the latest tech developments to better understand what employees want
  • Create a partnership with business units outside of the IT department
  • Create and get agreement on the right shadow IT policy for your company
  • Reinforce what your organization will not tolerate


Do You Have a Shadow IT Policy?

You can establish the ground rules for shadow IT in your company with this ready-made policy from Tech Pro Research. This policy provides guidance on when shadow IT can be permissible, outlines restrictions that could apply and defines employee and IT department responsibilities. While it might not be the perfect fit for every organization, it’s a great template for you to use to make your own custom policy.

Want a policy that’s more closely aligned with your company’s specific needs? Contact us and we’ll be happy to help you figure out the best way to manage shadow IT in your specific situation.

If your organization is seeing an unacceptable rise in shadow IT because your IT department lacks the resources to meet your users’ needs, consider outsourcing part or all of your IT function to a managed service provider like Ntiva. We take the burden of managing your business technology services off your shoulders.

Employees have more IT choices than ever before. But by communicating openly with employees about the risks, listening to their needs and then finding ways to meet those needs, your organization can take employee IT out of the shadows and into a more secure state.

New call-to-action


Tags: Cybersecurity