Years ago, I brought an additional monitor from home into the office. I wanted an additional display without costing the company any money and found that it was much easier to complete my work without having to flip through different tabs and browser windows to reference other information.

A few months went by without incident until the company chief technology officer (CTO) finally noticed I had this monitor on my desk. He pulled me aside and notified me that it was against company policy and posed a security risk.

At the time, I couldn’t understand why it was a security risk, but I complied and took the monitor home. Up until that point I’d never heard of “shadow IT” or any of the risks associated with it. It wasn’t until I began my journey into cybersecurity that I finally understood what the CTO was talking about.

What Is Shadow IT?

Shadow IT (or “stealth IT”) describes any applications ― cloud-based or locally installed ― systems, and devices operating within your business environment that aren’t deployed and controlled by your information technology (IT) department.

This includes:

  • Devices like smartphones, smartwatches, tablets, and PCs
  • Productivity applications like Slack, Asana, Trello, and Basecamp
  • Cloud storage like (Dropbox and Google Drive
  • Physical storage like external hard drives and thumb drives
  • Messaging applications like WhatsApp and Signal

Going back to my earlier example, the monitor I brought into the office was an example of shadow IT. From the perspective of the company, my device wasn’t a risk they were willing to accept. How could they be sure I hadn’t rigged up one of the outlets on the monitor to store sensitive data or inject malicious code into the network?

While this obviously wasn’t the case, these kinds of threats are entirely possible and easy for security teams to overlook. However, such examples are only a fraction of the shadow IT problem. Thanks to the explosion in cloud computing and the widespread use of smart devices, this phenomenon has reached such a point that it’s practically unfeasible for businesses to completely restrict their use.

What Are the Benefits and Risks of Shadow IT?

As with any other technological development, there are pros and cons to this paradigm shift. Whether allowing shadow IT in your organization is beneficial depends on many factors, such as the types of information you handle and the size of your organization in general. These are the benefits and risks of shadow IT.

Shadow IT Benefits

The foremost benefit of shadow IT is the improved productivity associated with teams freely able to adopt devices, applications, and systems as they’re needed. Additionally, the modern workforce is shifting to a “work anywhere” mentality thanks to the onset of the COVID-19 pandemic. This kind of agility is extremely helpful in spurring change where and when it’s needed at a moment’s notice.

The cycle goes a little something like this:

  1. New technology is discovered by the workforce.
  2. Workforce pioneers use technology to improve their own individual productivity.
  3. Teams take notice of productivity improvements.
  4. Team leaders introduce technology to higher-ups and IT teams for evaluation.
  5. Higher-ups approve new technology and bring it under the watchful eye of your IT team.

However, these kinds of cycles can only successfully happen in an organization that encourages innovation and educates its employees on cybersecurity practices when handling company information.

Efficiency is key when it comes to boosting productivity. The most efficient teams are the ones that figure out their own solutions to their problems. Shadow IT allows the workforce to find new technological solutions to everyday problems without dealing with bureaucracy to figure out solutions.

This autonomy cuts down on process-laden slowdowns while also improving workforce morale and sense of ownership. Trust is important when it comes to relationships with your workforce, and more autonomy is a signal to those who work for you that you trust their judgment.

Shadow IT Risks

The most obvious issue with shadow IT is the lack of control and oversight by IT and cybersecurity teams. Unmanaged technology means that your IT and security teams won’t be able to monitor and measure data movements or prevent that information from exfiltration.

As it stands, shadow IT operates on a sort of honor system with your workforce in many ways. You count on the people you work with to honor the company data handling and storage policies you’ve established in exchange for their ability to incorporate this technology into their workflow.

The rise of remote/hybrid work during the COVID-19 pandemic has also blurred the lines between personal and professional technology, especially when it comes to uploading data. Workers use company computers and other technology for personal means, which opens the door for incorrect data handling, whether intentional or unintentional. Cloud tools like Gmail, OneDrive, Dropbox, and Google Drive all present threats of unmanaged uploads of professional data into personal spaces.

This puts your data in a precarious position. Not only will your IT teams not have the ability to monitor the use of shadow IT technology, but they also can’t speak to the quality of the security measures taken by the users and app developers.

There are all kinds of potential security issues with shadow IT, including:

  • Lack of encryption/weak encryption
  • Weak password standards
  • Insufficient security patches
  • No knowledge of the quality of future updates

These kinds of issues increase the likelihood of exploits and breaches that can harm your network and data or expose you to compliance issues. Speaking of compliance violations, what do these risks look like?

Well the lack of control over shadow IT technologies opens your business up to potential violations of the Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), and General Data Protection Regulation (GDPR), depending on the size, industry, and operating locations of your business. Most of these compliance regulations deal with how data is handled and/or stored, and a violation of these standards can lead to breaches and fines.

While we’re on the topic of fines, the average fines for a small business range from $36,000 to $50,000, while larger businesses can expect fines upwards of $8.64 million in the United States alone.

In the U.S., the cost per breached record is $242. That’s a lot of money, which is why so many companies try to keep their shadow IT to an absolute minimum and encourage their employees to use vetted and approved channels.

What Is the Future of Shadow IT?

There was a time where it was nearly unacceptable for an organization to allow their staff to bring shadow IT into the work environment. As you can see above, the risks are numerous and potentially costly. But it looks like all of that’s changing very soon.

Many of the risks associated with shadow IT circle around the old way of conducting security. Perimeter-based networking security and intranet data storage are all going the way of the dinosaur in favor of a perimeterless, cloud-based networking and data storage system.

Secure Access Service Edge (SASE) is the answer to this shift and it operates on a perimeterless security architecture that’s context-based, smart, and able to follow you everywhere you go, even outside of your old network.

So, what does this have to do with shadow IT? The introduction and convergence of new technologies such as secure web gateways (SWG), cloud access security brokers (CASBs), and firewall as a service (FWaaS), companies will have more visibility and control over their networks and data, including the unmanaged applications and devices connected to their assets.

These tools provide insight into shadow IT, ensuring it is more visible and secure than ever with the introduction of data policy controls, contextual data use analysis, and new analytics platforms. Now you won’t have to worry about sensitive data moving from approved storage locations to personal applications thanks to the observational technologies provided by SASE. These tools will be able to infer when and where unapproved data moves take place and run that action against the established policies in real-time.

Cybersecurity Is All About Mitigating Risk

Even if you set policies in place regarding shadow IT, as it currently stands there’s always the chance of some device or application slipping through the cracks. The best you can do for your organization is mitigate the risks of shadow IT by educating your employees on cybersecurity best practices, establishing data handling guidelines, and employing all kinds of security tools, from virtual private network (VPN) services to antimalware software to protect yourself.

On that note, you can count on Digital.com to provide the most up-to-date resources, reviews, and guides to help mitigate the risks of shadow IT as well as other security threats. Be sure to check out our countless guides to make sure you’re making the right security choices the first time.

Related Software and Services