laptop & mobile phone on desk in low light

What is shadow IT? The risks, costs and benefits.


How to manage, protect, and control shadow IT.

Time: 9 minute read

Shadow IT exists in almost every business and organization. The word “shadow” gives it an ominous tone. But it’s not really.

The IT professionals who support your organization know about it. They may even encourage some elements of it.

You may even be involved.

Shadow IT is rarely a hidden practice. It does come with risks and costs – but also potential benefits to both employees and the business.

In this article, we will:

  • Answer the question, what is shadow IT?

  • Share common examples

  • Explain the risks and dangers

  • Explore the challenge presented by a remote workforce

  • Discuss the benefits of shadow IT

At the end, we’ll also provide a checklist to help you identify and manage shadow IT in your organization.

What is Shadow IT?

Shadow IT describes all of the devices, applications, platforms, and technologies used outside your IT department or provider's control and knowledge.

We'll share some examples in a moment, but it's important to note that rarely do employees do this to “get around” IT or company policy. In most cases, employees or departments find a tool that they like, which helps them do their job better.

The use of non-managed applications and technology can reflect individual user preferences. It may also reveal issues with the tools selected for use by employees and departments. For example, some problems could be as follows:

  • Lack of training. Without proper training, a user may not fully understand how to use a new platform or application. Previous tools – like those used at a former job – may be preferred. Users cannot replace a customer records management tool (CRM); however, they may use alternative applications to work with the tool's data.

  • No input. Employees live in the process. They often know what they need to be more efficient. Asking for their input when choosing tools and technology goes a long way to reducing third-party tool use.

  • Too difficult, too slow. IT-controlled VPNs and file shares can be slow and difficult for employees to use. Cloud storage applications make it easy. All employees need – especially remote workers – is an internet connection.

Examples of shadow IT

Your IT group manages your network files and applications.

But what about GoogleDrive™, DropBox®, or OneDrive™? Task management tools like Trello and Click-up may help organize workflows, but they can also put company information outside your company's security protocols.

Or perhaps a department uses one of seemingly limitless third-party software-as-a-service (SaaS) platforms. The abundance of possible SaaS solutions and applications makes it impractical to list them all.

Another shadow IT practice is bring-your-own-device (BYOD). Some IT groups support this practice when they allow users to connect their personal smartphones and tablets to the internal network.

In each case, the application or device engages with business systems and data outside IT control and monitoring.

The risks of shadow IT

Does data security leap at you as a significant risk of shadow IT?

If so, you’re right. But data security risks aren’t the only problems shadow IT practices create. Let’s take a closer look at the most significant ones.

  • Data security. Uncontrolled and unmonitored endpoints like smartphones and third-party cloud applications become open gateways into an otherwise secured network. Even if your network and application are secured, the data transmission between the two may not be. This can be especially true for remote workforces. When it comes to data security, shadow IT is a cybersecurity nightmare.

  • Compliance. Data security and compliance are closely related. Shadow IT practices pose a threat to compliance even if your data never becomes compromised, depending on your compliance requirements (HIPAA, Sarbanes-Oxley, or PCI, for example).

  • Efficiency problem #1: Time lost. The use of non-supported applications requires that the user solve any technical issues that arise. While many employees today are quite capable of solving technical problems, doing so takes time away from core business activities and although responsible employees will work “overtime” to see that the job gets done, this extra time eats into their personal hours. Employee frustration and dissatisfaction often result, directed at IT – for not providing the tools needed!

  • Efficiency problem #2: Collaboration disconnects. When users choose their own tools and platforms, the potential for non-compatible file types increases. This can interfere with collaboration efforts in terms of how time is spent, i.e., solving technology issues rather than productive activities.

These four represent the most common and significant problems of shadow IT to an organization. In recent years, a new element has only added to – and complicated – the reality of shadow IT.

Regardless of the driving factor, many solutions are available to manage and keep shadow IT under control.

Managed IT services.

Cybersecurity services.

Cloud applications.

Document management.

A well-defined change management process.

Make shadow IT your gateway to a competitive advantage

There’s no question shadow IT presents severe risks to businesses. It does have an upside, however.

When employees engage outside technologies, they’re telling company leaders that opportunities exist for greater efficiency. They also reveal that they are engaged. After all, they wouldn’t search out ways to be more productive if they didn’t want to be effective.

As an IT professional or business leader, you can harness this activity and insight to streamline your business processes. We know. We help businesses do it all the time. If you’d like to learn more, contact us.

Recommended for you

Defining Hacking & 11 Essential Hacking Terms
Defining Hacking & 11 Essential Hacking Terms

Defining Hacking & 11 Essential Hacking Terms

Get to know the basics of hacking with our guide to 11 key hacking terms. Uncover the vocabulary and concepts that make up the world of cybersecurity.

Digital Forensics for Kramon & Graham
Digital Forensics for Kramon & Graham

Digital Forensics for Kramon & Graham

Learn how Ricoh's Digital Forensics Services helped Kramon & Graham recover $8.5 million through a default judgment, prove data wiping and spoliation of ESI.

Information governance solutions
Information governance solutions

Information governance solutions

Information governance services, including policies and procedures, help you ensure data is managed, secured, shared and measured effectively.