What is shadow IT? The risks, costs and benefits.

Shadow IT describes all of the devices, applications, platforms, and technologies used outside your IT department or provider's control and knowledge.

We'll share some examples in a moment, but it's important to note that rarely do employees do this to “get around” IT or company policy. In most cases, employees or departments find a tool that they like, which helps them do their job better.

The use of non-managed applications and technology can reflect individual user preferences. It may also reveal issues with the tools selected for use by employees and departments. For example, some problems could be as follows:

• Lack of training. Without proper training, a user may not fully understand how to use a new platform or application. Previous tools – like those used at a former job – may be preferred. Users cannot replace a customer records management tool (CRM); however, they may use alternative applications to work with the tool's data.
• No input. Employees live in the process. They often know what they need to be more efficient. Asking for their input when choosing tools and technology goes a long way to reducing third-party tool use.
• Too difficult, too slow. IT-controlled VPNs and file shares can be slow and difficult for employees to use. Cloud storage applications make it easy. All employees need – especially remote workers – is an internet connection.

Your IT group manages your network files and applications.

But what about GoogleDrive™, DropBox®, or OneDrive™? Task management tools like Trello and Click-up may help organize workflows, but they can also put company information outside your company's security protocols.

Or perhaps a department uses one of seemingly limitless third-party software-as-a-service (SaaS) platforms. The abundance of possible SaaS solutions and applications makes it impractical to list them all.

Another shadow IT practice is bring-your-own-device (BYOD). Some IT groups support this practice when they allow users to connect their personal smartphones and tablets to the internal network.

In each case, the application or device engages with business systems and data outside IT control and monitoring.

Does data security leap at you as a significant risk of shadow IT?

If so, you’re right. But data security risks aren’t the only problems shadow IT practices create. Let’s take a closer look at the most significant ones.

• Data security. Uncontrolled and unmonitored endpoints like smartphones and third-party cloud applications become open gateways into an otherwise secured network. Even if your network and application are secured, the data transmission between the two may not be. This can be especially true for remote workforces. When it comes to data security, shadow IT is a cybersecurity nightmare.
• Compliance. Data security and compliance are closely related. Shadow IT practices pose a threat to compliance even if your data never becomes compromised, depending on your compliance requirements (HIPAA, Sarbanes-Oxley, or PCI, for example).
• Efficiency problem #1: Time lost. The use of non-supported applications requires that the user solve any technical issues that arise. While many employees today are quite capable of solving technical problems, doing so takes time away from core business activities and although responsible employees will work “overtime” to see that the job gets done, this extra time eats into their personal hours. Employee frustration and dissatisfaction often result, directed at IT – for not providing the tools needed!
• Efficiency problem #2: Collaboration disconnects. When users choose their own tools and platforms, the potential for non-compatible file types increases. This can interfere with collaboration efforts in terms of how time is spent, i.e., solving technology issues rather than productive activities.

These four represent the most common and significant problems of shadow IT to an organization. In recent years, a new element has only added to – and complicated – the reality of shadow IT.

The increase in remote workers has created an influx of new unsupported hardware, software, and cloud applications. Some of these should be controlled, others are just a reality of the remote work model and are best left that way.

For example, IT departments aren’t supporting home gateways (the physical hardware sometimes called modems or routers by internet service providers or ISPs). And the thing is, they don't want to.

Most IT departments aren't supporting home printers or other family devices on the same home network shared by the business laptop, PC, tablet, or smartphone either.

Shadow IT is just part of remote work. If a company finds its remote workers using a lot of third-party or unsupported applications, that may be an indication of an opportunity to streamline consolidate systems. 

Either way, shadow IT introduces potential security gaps, but it also offers many potential benefits, the ability to work remotely being one.

Without question, the cons of shadow IT are its significant risks. As such, you might think IT professionals would only see those and seek to prevent it.

The opposite is often true.

For example, one survey of IT professionals reported:

• 97% said employees using their preferred technologies are more productive
• 80% said their company should embrace the technology requested by employees
• 77% believe their companies would be more competitive if leaders collaborated with employees on technology solutions
  

These responses reveal that shadow IT has positives too. These benefits include:

• Increased productivity. Employees get more done when they use the tools and applications they like and with which they are familiar.
• More eyes looking for better tools. Finding new technology may once have been the responsibility of technology professionals and department managers. Today, many employees are plenty comfortable searching for tools to make their jobs easier.
• Expert insight. Employees have two pieces of knowledge that make them the perfect source of insight for ways to increase efficiency and drive productivity: 1) practical, day-to-day experience with the task, and 2) the inefficiencies in the process.
• Empowered employees. When employees contribute to technology selection, they buy-in more to the company and its goals, taking greater responsibility for their work and company success.
• Lower technology and office costs. In some cases, shadow IT can save organizations a bunch of money. Bring your own device (BYOD) removes the expense of providing mobile devices to employees. On the upside, they reduce office expenses such as leases, equipment rentals, IT hardware, utilities, etc.

How a business manages shadow IT will depend on where it finds the greatest need among third-party applications, personal devices, and remote workers.

For some businesses, managing hardware and security may be the issue. For others, it could be applications users have chosen for more productive workflows. Collaboration could also drive the need. (Zoom, for example, was recently embraced by many companies to ensure their teams could continue to meet.)