Shadow IT is the use of IT software, devices, systems, or applications by departments or individuals within an organization without the explicit consent or knowledge of that organization’s IT department. The use of shadow IT applications has grown considerably in recent years, primarily due to the proliferation of remote work and usage of cloud-based services and applications. While shadow IT can accelerate productivity and innovation, it can also introduce serious security risks and compliance issues, especially when data is stored in places IT isn’t aware of.
Examples of Shadow IT Applications and Activities
Any application used for business purposes without involving the organization’s IT department can be considered a shadow IT application.
Shadow IT applications fall into four major categories:
- Cloud-based applications that users access directly via the corporate network.
- Cloud-based applications that users access via SaaS applications like Microsoft Office 365 or Google Workspace.
- Off-the-shelf software purchased by a department or end user and loaded onto the system (now less common).
- Custom-developed software running on an individual’s corporate laptop.
Examples of shadow IT activities include:
- The downloading and unauthorized use of workflow or productivity apps such as Trello or Asana.
- The creation and use of cloud workloads set up through personal or department accounts or credentials.
- Unauthorized purchasing and/or use of third-party SaaS applications or other cloud services subscriptions not being monitored by an organization’s IT department.
- Using personal messaging platforms or communication applications such as WhatsApp or Signal for work-related communication.
- Using personal email accounts to conduct business.
- Unauthorized bring your own device (BYOD).
Shadow IT Risks
It’s hard to nearly impossible to secure your data if employees are storing it in locations outside of your company's control. Your IT department also can’t know which or how much of your company’s customer data is at risk if they don't know where that data lives.
Accordingly, the main security risks of shadow IT are:
Data loss
Since your company can’t access data stored in personal accounts or on personal laptops, it will lose that data when the employee leaves or is let go. Also, since data in those personal accounts isn’t subject to corporate policies and procedures, it may not be properly backed up, archived, or encrypted per company policy.
Decreased visibility and control
Shadow IT presents serious issues with visibility and control for the same reason it presents serious issues with data loss: You can’t secure what you can’t see. Increased use of self-provisioning may accelerate productivity and onboarding, but it also decentralizes resource provisioning, leading to IT having trouble knowing what’s going on, with who, and where. This also leads to not having a single reliable source of truth for data, or having a compromised or incomplete source of truth for data.
Increased vulnerability to cyberattacks
Every instance of shadow IT expands an organization’s attack surface, and since shadow IT applications aren’t visible to IT, they also aren’t protected by the company’s cybersecurity solutions. Further, users of shadow IT applications often use weak credentials and passwords that cybercriminals can easily exploit to gain access to a corporate network.
Increased costs due to non-compliance
Shadow IT often introduces indirect costs to an organization in the form of regulatory fines and penalties, in addition to reputational harm in the case of a data breach. Also, while some employees may turn to shadow IT as a way to reduce costs, the long-term use of shadow IT applications and services, such as data storage, often isn’t cost-effective at scale.
How to Manage and Mitigate Shadow IT Risks
What’s the main cause of shadow IT?
Employees not having what they need to do their job as best they can.
Accordingly, as shadow IT instances proliferate, the responsibility for managing and mitigating it lies with the people responsible for making sure employees have access to all the tools, resources, and services they need to do their jobs well.
To mitigate shadow IT risks, organizations can:
- Train employees on the safe and proper use of all tools and technologies
- Enforce rules and protocols around provisioning for new services
- Highlight and constantly reinforce (through videos, training, etc.) company policies around security and compliance
But in addition to all of the above, the best thing a company can do to mitigate shadow IT risks is use advanced technology such as Pure Storage® FlashArray™ and Snapshots, which, combined, increase data accessibility and visibility to analyze multiple data sources while keeping their data local. They can work with data directly stored on FlashBlade® object storage or Pure Cloud Block Store™ in the cloud—eliminating the need to create separate copies of data shared with other tools or workflows.
Get the Snapshots for Dummies e-book.
Learn more about FlashBlade//S™.
Download our complete guide to data protection.