Understanding Shadow IT
What exactly is Shadow IT?
Shadow IT is the phrase used to refer to the use of IT systems, technology, software, or devices that are not approved by or managed by the firm's IT department. This can be as innocuous as someone using free or open source software to track personal notes or it can be as serious as departments taking on entire SaaS solutions to solve problems without oversight.
You may not have heard of Shadow IT, or you may have encountered it without seeing it called such. This is because it is extremely difficult to quantify and is only recently coming to the fore as an IT concern. If you were to ask leaders at your organisation to guess, roughly, how many applications or pieces of IT that their teams use on a daily basis, most of them would underestimate by between 50-100%. Your IT group may keep an extensive catalog of permitted or tracked applications, but it is almost certainly not a comprehensive list of what your users are actually using.
Shadow IT is a huge issue faced by organisations of every size and having ungoverned software usage exposes you to a great deal of operational and data risk. According to Cequence Security, up to 68% of organisations have exposed APIs that they are entirely unaware of due to shadow IT; and Gartner studies show that at least 30% of IT spending across organisations is due to shadow IT.
Common Examples of Shadow IT
The most common example we see today is the unsanctioned use of AI tools by employees of organisations that either do not have an AI policy or forbid the use of AI entirely. The majority of ChatGPT logins alone are from personal accounts and most workers who share that they are using ChatGPT or equivalents admit they do so without the approval of their employers. Sharing privileged company information with AI is a data breach equivalent with sharing it with another company or another person, especially as there is no guarantee that AIs will not be trained on any data shared with them by users. Having an AI policy in place for your business as well as appropriate training and monitoring tools can partially prevent these issues.
One case that I observed a couple of years ago was a global firm with centralised IT support in a single region. The lack of individual region coverage led to two country offices each engaging a local supplier for a SaaS solution to solve a problem that the company was building an in-house solution for. They immediately moved to strengthen IT governance across their organisation and adapted to the situation by engaging proactively with the suppliers, identifying the one best placed to handle the organisation's needs, and leveraging their familiarity with their systems to integrate them safely and securely across all regions.
Key Risks of Shadow IT
Security Vulnerabilities
The list of vulnerabilities caused by Shadow IT runs well into the hundreds so I won't cover them all here, but there are two principle issues. The first revolves around the IT JML (Joiners-Movers-Leavers) process, where any security-conscious IT department will ensure users handover important data and controls before they are securely cut off from internal systems, but what if their team was using a data tool that IT was unaware of? Then they are powerless to stop the user continuing to log in to the tool and view confidential information about the company.
The second is to do with APIs. As best practices show, APIs need to be secure, accessible only to authorised parties, they should be battle tested and regularly audited to ensure they are not vulnerable in any way. Shadow IT opens the door to unmanaged APIs where there are no guarantees of security or assurance of audits. Many organisations are entirely unaware that their data is available through these unmanaged API endpoints, but they are one of the first routes hackers will attempt.
Compliance and Regulatory Issues
Hand-in-hand with data going to places that organisations are not aware of, is the risk of third parties being given your organisation's data for processing due to Shadow IT. Often these third parties will not be domiciled in the same location as your organisation, and they will not be bound by certain data protection regulations. If you process customer data then this can place you in breach of a number of regulations, such as GDPR or the DPA.
Far greater than this concern however is the bigger picture compliance risk that Shadow IT poses. For example, firms in financial services may have regulatory reporting obligations under various regimes and there are many service providers that offer to handle these obligations in exchange for a fee, if an individual or department engages these without IT oversight it can lead to duplication of reporting, which the regulators view as just as bad as failing to report.
Hidden Costs and Operational Inefficiencies
At a time when many organisations suffer from poor communication between tranches, Shadow IT can be a serious drag on your bottom line. License fees, service fees, and token fees can balloon entirely outside of IT controls when the procurers are not trained or fully aware of the prices. This has knock-on effects on project budgets, headcounts, and other finances across the business, often in ways that are entirely untraceable to the existence of Shadow IT.
Similarly, tracking SaaS applications in use by your business can be a full-time job in itself depending on how large your business is. When more and more applications pop up in the SaaS ecosystem and get picked up by users in your business, whether on free trials or extended licenses, it increases the amount of work you have to do to keep track of everything. Shadow IT exacerbates this, creating a tracking nightmare as you have to conduct entire discovery processes before you can include them in your tracking.
Concerned about Shadow IT risks at your organization? Contact us today for a no-obligation consultation.
Steps to Identify Shadow IT in your Organisation
Conducting a Shadow IT Audit
The most comprehensive solution to identifying Shadow IT is to carry out an audit. This is a painful but necessary process that must be done in order to identify the extent of Shadow IT in your organisation and begin taking steps to counteract it. The challenge here is that occasionally employees are motivated to conceal their use of Shadow IT because they find it helpful and expect you will want to remove it, see our later section on how to structure your approach into one that turns Shadow IT from a liability to an opportunity and head off this particular challenge before it arises.
Recall that Shadow IT takes the form of hardware as well as software, as long as it exists outside of the usual governance processes of IT. Therefore it is necessary to investigate whether any external devices are being used (A common example being clients using personal phone numbers of any contacts in your organisation for customer service) as well as unknown software or cloud apps.
Some of the more common forms of Shadow IT include, but are not limited to:
- SaaS Applications - These are the most expensive forms of Shadow IT, where a team or department has engaged an outside vendor or been targeted by marketing and have decided to make use of the vendor's software along with their normal business processes without informing IT.
- Scripts - User-developed scripts such as Python or Powershell scripts that automate small tasks, but are otherwise unsupervised. These are usually harmless but because they are often created by a single user they become useless after this user leaves or moves to another function, making handover for the process much more difficult for the team lead and the new user.
- Free or open source (FOSS) software - These are the forms of Shadow IT most prone to being a security risk. There are popular forms of FOSS out there (Notepad++ is a popular one, for example) but for each of these there are a hundred poorly maintained git repositories that your users can pull a solution from. These types of FOSS are dangerous, often coming with rat's nests of dependencies and being riddled with security vulnerabilities. Maintainers for FOSS are under no obligation to help you if their software causes issues for you.
- AI - AI is ubiquitous now, almost everyone either makes use of ChatGPT on a daily basis or is about to have it forced upon them through their smartphone or other device. AI trains on consumed data from users as well as from publicly available datasets, and is prone to hallucinations when quizzed on complex subjects. These two drawbacks combined make AI extremely risky when users engage with it for assistance on their daily tasks.
Using Technology for Shadow IT Detection
Depending on what technologies your organisation makes use of, you can leverage these to help you in your hunt for Shadow IT, even utilising tools proactively to prevent Shadow IT from becoming an issue entirely. These are most prevalent in cloud-based operations, although you can use or build your own solutions to these issues as well, but you should be careful as monitoring for Shadow IT can often feel intrusive depending on how close the monitoring is.
Looking at an example in Microsoft's Azure cloud (analogous processes exist in AWS and GCP and they are generally just as effective), the product Microsoft Defender for Cloud Apps enables you to scan and produce snapshot or continuous reports and generates risk assessments for you to enable identifying high risk instances of Shadow IT and address them proactively. The limitations are obvious (e.g. cannot view applications outside of the cloud app catalog) but the advantages are significant, giving you automation and a wide-ranging view that eliminates a lot of the legwork and pitfalls of direct communication.
Schedule a Shadow IT audit to identify hidden risks in your systems now, with us.
Proactive Solutions for Managing Shadow IT
These are ways you can proactively manage your organisation's approach to Shadow IT. The greatest prevention here is to have strict, transparent IT governance that is visible to all areas of the business, which also provides extensive and engaging training to all associates to advise them of the risks and dangers of engaging with IT services not directly controlled or provided by the business.
The building blocks here begin with strong policy. This needs to be reviewed and agreed with stakeholders at the highest possible level, as they will be responsible for disseminating the key points and messages to their areas of the business. Naturally, any policy should be as comprehensive and as clear as possible, while trying to be short and aiming to retain the reader's attention for as long as possible, taking the former as priority over the latter if there must be any trade-offs.
Policy Implementation
Drafting the policy is the easiest part. IT policy on the use of unpermitted devices, software, systems, and tools needs to be as clear as possible. There must be no room to maneouvre around the definitions of these, nor the definitions of what counts as "for work purposes". There also needs to be a clear setting of responsibility for any breaches in the policy.
There must also be leeway for input from end users, otherwise the policy risks stifling innovation at the company. Lines of review and approval should be established in the policy, giving everybody at every level of the company a point of contact if they have an idea or tool that they think would improve overall productivity, and this point of contact should be able to articular reasons for and against taking up this tool, as well as raising it at regular touchpoints with e.g. a steering group who can oversee management and implementation.
Employee Training and Education
Policy is pointless when nobody understands it. To this end, user training needs to be developed and carried out by suitable people who usually work within or alongside the IT function. Training needs to cover all of the points of the policy and is usually delivered in more bitesize chunks, accompanying case studies and detailed examples to engage the user, ending in an appropriate assessment to ensure everything has been understood correctly.
The end result of training should be that employees feel educated about the risks of Shadow IT and confident in raising suggestions by using existing IT governance pathways. However, as training is often treated as a tickbox exercise in many instances, it can help to have additional virtual sessions not explicitly called training where users are shown examples of how to avoid Shadow IT and are given the opportunity to share feedback there and then.
Adopting a Culture of Transparency
Culture is one of the most difficult things to define and set across any organisation larger than one person. The ideal of a culture of transparency means that everybody at an organisation should know or have access to the knowledge of how everything functions at a high level. It synergises with the idea that workers are encouraged to communicate informally across lines of business, sharing ideas and input that crystallises into innovation that ultimately gives the business a competitive advantage over others that do not foster this collegiate atmosphere.
As with most things, examples need to be set at the top so they can be followed by all levels. Decision-making by senior executives should never be opaque to the workers of the business, rationale should be shared wherever possible, and people who are especially visible both to the business itself and to the wider world should strive to embody these ideals so that workers are encouraged to match that energy. Care should be taken to avoid seeming performative, and to actually demonstrate these ideals when for e.g. executives are working from offices.
Turning Shadow IT Challenges into Opportunities
As with any major problem facing an organisation, there are ways to translate Shadow IT into opportunities for innovation, automation, and general time- and budget-saving. Take the example I opened the post with, when the organisation found out that its offices had separately engaged SaaS vendors for services to resolve their problems, the organisation did not take a punitive approach. Firstly, they examined the two solutions being used and observed the effect on productivity, as well as taking a closer look at the problem itself to see if there were any faster ways of fixing it that the organisation already made use of.
Their next actions were simple, the cost-benefit analysis of both tools produced a clear winner and it was immediately taken on by the IT department to be reviewed, included in policy, and adopted across the wider organisation. The end result was that the underlying problem disappeared, the procurement process was effectively over before it began, and the business made millions in cost savings.
Carrying out these few simple steps enabled the business to turn an instance of high-risk Shadow IT into a home run for innovation. By aligning your views to see things as opportunities-in-hiding, you too can pull this off.
Enhancing Productivity and Innovation
Why do people engage with Shadow IT? The answer is simple, they have a problem or problem set that is being solved by something outside of the organisation, and they have taken the initiative to identify, evaluate, and onboard with a service or tool that fixes the problem(s). Whether they do this because they feel current IT governance is too strict or because they felt empowered to do so is not the concern. The real concern is that there was an existing opportunity to increase productivity through innovation and that it was not realised in a safe manner.
Once identified, information gathering needs to happen. The end users should be engaged to discuss what pain point or process led them to discover this solution, they should be allowed to provide their full justification of why they trusted this solution and exactly what gains they have made by making use of it. You may quickly discover that a process could have been automated a long time ago, or a long-standing problem has been solved by a SaaS provider that just never identified you as their target market.
The providers of the Shadow IT should also be included in discussions, allowing you to get a fuller view of the benefits the product could provide. As it is assumed the end users here are not fully technical, there may be hidden benefits (or, indeed, hidden costs) that your organisation could leverage for further gains. Approaching these discussions with an open but critical mind allows you to make the best decision going forward.
You may quickly discover that this instance of Shadow IT could not only be applied in one instance but in many, it could solve a problem faced across your organisation, or it might not be fully beneficial to take it on now but you will have one more weapon in your arsenal for problems you face further down the road. Either way, you will quickly establish the pathway to turning the instance of Shadow IT into something directly managed by IT, eliminating the problem and turning it into a potential advantage in one swoop.
Aligning Shadow IT with Strategic IT Planning
Shadow IT can be engaged to provide benefits with strategic planning. As mentioned above, providers of Shadow IT services are effectively existing relations that your organisation can make use of to solve future problems. A large part of strategic planning is trying to predict business needs a quarter, two quarters, or even a year into the future, depending on the enterprise's approach to planning.
Take growth for example, a common objective in most strategic plans is aligning the IT function with the company's goals for growth. Shadow IT as we've seen above is an enabler for growth by way of increasing productivity and minimising pain points, taken to a logical extreme it can be (once cleared by IT governance) used as a basis for managing growth in certain parts of the business. Taking ownership of problems and converting them to wins is instrumental for good business leadership.
Conclusion and Next Steps
Throughout this article we've seen examples of Shadow IT as well as demonstrated a way to undergo a mindset shift from seeing it as a liability to turning it to your advantage, creating value from nothing and demonstrating keen-eyed leadership. Obviously, Shadow IT is just one of many problems plaguing the modern IT infrastructure across all organisations, but it is one that is frequently neglected despite making up one of the greatest budget black holes for the department, as well as being very risky for the business overall.
If you would like to engage our expertise on the topic of Shadow IT or indeed on any strategic leadership topic in IT, get in touch and we can talk about how we can help you, whether this is carrying out an audit with a view to identifying Shadow IT impact at your organisation or if you need help turning a problem into a solution, we are always able to help.
To conclude, here are some tips that you can take onboard immediately that will help you identify and address potential Shadow IT issues at your organisation.
Quick Wins to Get Started Immediately
- Write up your definition of Shadow IT as it pertains to your business. Are you using anything that could be considered Shadow IT right now?
- Make a note to bring the topic up to your leadership team if your organisation isn't proactively discussing this. Remember, almost everyone underestimates exactly how many apps and tools their teams are using.
- Speak to people across your organisation, especially those "on the ground" who carry out administrative or customer-facing functions, where daily processes are prone to easy automation or AI integration.
- Do you use the cloud? Look up their solutions for identifying Shadow IT apps in use across your organisation.