TEST to main content First level navigation Menu
internet threat

Shadow IT: A hidden threat?

by ​David Levine
Is shadow IT putting your organization’s control of its information in danger?

In today’s technology-rich environment, information and new solutions are just a click away—and in many cases, oh so tempting. You can be up and running in a matter of minutes. Heck, you don’t even need your technology department to get it working...or do you?

Implementing technology outside of your technology and security teams can put your organization at risk of data breaches, regulatory fines, licensing issues, network resource issues, and negative publicity.

As tempting as it may be, implementing technology and/or solutions outside of your technology and security teams can put your organization at real risk of data breaches, regulatory fines, licensing issues, network resource issues, and negative publicity. This practice is commonly referred to as “shadow IT.” Make no mistake; there may be (in some cases) valid reasons why this is occurring. If so, those reasons need to be identified and addressed. While the solutions being identified may seem like great wins for the company, they still need to be vetted to ensure that the financial, business and security risks are acceptable to the company. Let’s take a deeper look:

What is shadow IT?

Shadow IT is a term for a decades-old issue that started, occurring when computer technology was becoming inexpensive, available and easy enough to use that departments and individuals didn’t have to go through IT. An example of this would be employees using their home desktop computers, travel notebooks, and mobile devices for work-related activities.

Today, this problem has only gotten worse. Workers use consumer apps and services for messaging, email, file-sharing and remote access. Some employees are even doing “BuildYOA”—according to the third Annual Mobile Business Application survey from Canvas,1 a provider of cloud-based software services, 400 decision-makers from a range of companies said that:

  • 61 percent of businesses created a new mobile app in 2015 without any IT involvement
  • 20 percent of the businesses that developed apps without IT support built 10 or more apps
  • 81 percent of businesses are somewhat or very comfortable building mobile apps without the IT team’s help
  • 76 percent of those surveyed were able to create a cloud-based app in one day or less.

That can add up to a lot of IT hardware, software, services and activity that isn’t under the control of, or even known about, by the IT department. That can be a problem.


The shadow cast by BYOD and BYOA

Shadow IT activities are understandably tempting approaches for employees. For someone who has been using these unapproved apps on their phone or tablet for years, it may not even occur to them that it might be problematic.

Unfortunately, while convenient for employees, shadow IT can be bad for the company. Data is key to nearly every aspect of your company’s activities. Part of IT’s responsibility is to ensure that data is kept secure from unauthorized access: being misused, changed, deleted, or stolen.

Here’s a quick look at some of the problems that shadow IT can create:

Feel like you’re losing control of your information to shadow IT?

While many think it's harmless, Shadow IT's impact on your organization could be catastrophic. Check out our free guide that will help you get a handle on the problem.
  • Regulatory fines: The mere act (or even capability) of viewing or sending sensitive data in an unauthorized way can result in government or industry fines, along with negative publicity. Examples: financial services advisors texting buy/sell advice from their personal phone, or a healthcare professional sending a patient’s personal medical health information through a personal email account.
  • Data losses and breaches: Not only can shadow IT open your network up to vulnerabilities and threats, it can store your data in unprotected areas outside of your company, making the risk of a data breach significantly more likely.
  • Virus, malware and other threats: Unauthorized devices and accounts may not have the appropriate level of protection, opening up the company to data losses and network breaches. Rule breakers of corporate BYOD plans often expose the network to increased risk by providing a point of entry for hackers and other malicious threats. They also can create a drain on resources that can significantly slow the entire network.
  • Added IT costs: While the costs for extra copies of software and related IT support quickly adds up, the cost of unlicensed software can be even more significant. While shadow IT often takes the form of freemium software, these programs aren’t always licensed for commercial use, which can open your company to potential legal action.

It’s essential that companies not only be aware shadow IT is happening, but also identify where it’s happening and what steps to take to address the problem.

David Levine
David Levine, Vice President of Information Security & CISO for Ricoh USA, Inc., helps customers limit risk and enhance their information security. Levine’s areas of expertise include operational security, access management, eDiscovery and litigation support, and HIPPA compliance. An avid auto racer, Levine holds a Bachelor of Arts degree in Information Systems with minors in Computer Science and Business from Eckerd College.
1Canvas Mobile Business App survey, "61% of Businesses Created Shadow IT Mobile App in 2015." PR Web, February 11, 2016. http://www.prweb.com/releases/2016/02/prweb13207300.htm