What is shadow IT? Everything from risks to benefits

Shadow IT is the use of apps, devices, and services for work that have not been approved by your organization’s IT department. Shadow IT tools don’t have to be illegal or even malicious, nor do they have to be explicitly banned by your company — they’re merely resources that fall outside the organization’s planned workflow and security measures.

Shadow IT covers a vast range of software and hardware — if you can bring it to the office or download it to your device, it has the potential to be shadow IT. Some common examples of shadow IT include:

• Productivity apps. Applications like Trello and Asana help your team organize its workload and be more productive. Unfortunately, companies typically designate one single official tool for the entire workforce, which might simply clash with your team’s mojo. In that case, downloading and using another productivity app without first gaining approval from the IT team would count as shadow IT.
• Cloud storage. If you want other people within the organization to have ready access to your work, you need a file sharing solution — typically using storage provided by cloud services like Google Drive or NordLocker. If you upload work data to cloud-based services that have not been approved by your organization (for example, your personal Dropbox account), you’re engaging in shadow IT.
• Document editors. Your organization may want you to use Google Docs for writing so that other people can easily jump in with comments and edits. You may prefer the silence of Microsoft Word or the simplicity of NotePad. In this case, using a document editor other than the one designated by your company counts as shadow IP.
• Communication tools. Skype for Business used to be all the rage for workplace communications a while back. Now it’s Slack. Tomorrow? Who knows. But if you communicate work-related information outside of approved secure channels (for example, by posting it in a Telegram group or sending it from your personal email account), you’re placing that data beyond the reach of the IT team.
• Personal devices. Your work tools come with all kinds of safeguards — use this, download that, don’t go there. Your personal devices? Not so much. Many organizations explicitly prohibit using your personal smartphone, tablet, or laptop to connect to the corporate network (or even check your company email account) because it can lead to a data breach.

Most employees use shadow IT because it simply helps them work better. Perhaps your team has been successfully using GitHub for project management in the past and doesn’t want to make the jump to the new corporate darling Jira. Maybe you communicate better over Discord than company-mandated Skype for Business.

Sometimes people don’t even realize that what they’re doing amounts to shadow IT. Be honest — did you read the fine print in your company’s IT policy before signing it? Did you know that many employers do not allow you to check work documents on your own phone? The use of unsanctioned personal devices for work purposes is one of the most common instances of shadow IP across the globe.

In all these cases, the reason for using unauthorized tools is not malice — it’s simple preference or habit. As long as you get results, why should it matter that you use Google docs instead of your company’s Microsoft Word account?

Turns out, the fact that you’re using unsanctioned tools can matter a whole lot. Even if your intentions are pure, shadow IT introduces a number of potential security risks to your organization. Here are just a couple of reasons why companies frown heavily upon shadow IT.

No visibility and control

By definition, shadow IT assets are off the company’s radar, which means cybersecurity teams can’t assess them for vulnerabilities, shore up their security, or detect incidents if and when they do happen. The most potent cybersecurity system in the world won’t protect the company’s data if criminals can access it through your jailbroken iPhone.

The security of shadow IT rests entirely with the user, who may not be aware of all the possible angles of attack or how to safely configure the tool for work. The danger may come from something as simple as putting off a critical security update for a day or two, leaving the app or device vulnerable to a major publicized exploit.

Data may be unprotected

Data breaches are expensive — companies spent 4.5 million dollars per data breach on average in the first half of 2023. To avoid these exorbitant costs, IT departments designate where, when, and how employees are allowed to use sensitive data from within the organization in their daily work.

When employees go off the beaten path, they give others a way into this secure ecosystem. These indiscretions may be subtle — for example, you may feed privileged information into ChatGPT to help make a decision, or send confidential files from your personal email address. Once the data is out there, you can’t bring it back into the fold.

No compliance mechanisms

Organizations are often subject to stringent legal requirements when it comes to protecting sensitive data, especially personally identifiable information. The most famous of these requirements come from the General Data Protection Regulation (GDPR), which must be followed by anyone in the world wishing to process the personal data of EU residents.

Here’s the tricky bit — companies may be fined for failing to meet adequate data protection standards even if no data breach occurs. It’s enough that someone in the organization is using an unvetted shadow IT solution to process personal data.

Inconsistency and inefficiency

Shadow IT can be useful on an individual level, but it may be detrimental to the work of the company as a whole. Your preferred tools may cause problems for others or have difficulty playing nice with the organization’s IT infrastructure.

Think about it like this — when you operate off the grid, you’re also not letting others in the organization check or backup your work. Do this long enough, and you’re bound to end up with conflicting entries, miscommunication, and lost data. In some cases, using shadow IT tools may even lead to duplicate work being performed in parallel by different arms of the company.

It’s not all doom and gloom, however — while shadow IT can be dangerous, it also offers important benefits.

• Faster adoption. Your team can respond to innovations and challenges in the field much faster than your organization’s IT department. New technologies can develop overnight and spread like wildfire, conquering the market before the security assessment is even finished. Having to wait for explicit IT approval in every single case, no matter how minute, would only lead to missed opportunities.
• Experts know best. Your IT department probably doesn’t know much about finance, or graphic design, or copywriting. When it comes to choosing tools, let the people in the field decide because they know best what works and what doesn’t.
• Lower costs. Depending on the company’s procurement policies, your team could be forced to work with a limited budget. In this case, you may be tempted to use popular free alternatives instead of mandated apps (for example, switching from Microsoft Office to the Google Docs Editor Suite) to save the money for other things the team may need.

So what’s the best way forward? A complete prohibition against shadow IT to protect company data and streamline work processes? Or total anarchy, with each team ignoring the IT department’s decrees and doing their own thing?

Neither, it turns out. You can have your cake and eat it, too.

The trick is managing systems in a way that allows shadow IT to safely exist on your network. Organizations can implement broad cybersecurity solutions (such as mandating the use of cloud security tools to ensure that employees access company data in a safe manner) to improve data security when using unvetted apps or private devices.

They can also use attack surface management tools to hunt down shadow IT resources on their networks — and then officially bring them into the fold.

Finally, you might want to check out NordLayer, the secure access service edge solution from the developers of NordVPN. NordLayer provides your organization with a comprehensive suite of tools for managing safe access to your network, including a secure VPN, a cloud firewall, and virtual gateways to protect your data traffic.