What’s shadow IT and who needs it managed?

  • Yusra portrait
  • Yusra Shaeik
  • 5 min read

Shadow IT sounds scary. And from the point of view of your business’s cybersecurity and bottom line, it is.

Yet shadow IT – or grey IT, as it’s sometimes called – can also represent an opportunity:

Because if you find yourself with a serious case of shadow IT, you can be sure that your business has IT systems and processes that need to be addressed right away…

What is shadow IT?

Shadow IT is the Information Technology assets that an organisation uses but does not “know” about.

A classic example is an employee who uses their own device for work purposes but – crucially – has not had that device configured as part of your BYOD (Bring Your Own Device) policies.

Because this device exists in the “shadows”, it represents an unmanaged risk to your organisation. Shadow IT can be the entry point for malware and viruses or allow sensitive data to be stolen.

Yet it’s not just rogue devices on your network that count as shadow IT. Software on the cloud can also be “shadow”. Picture an employee who uses private accounts to store work data.

Most businesses have at least a small amount of shadow IT. When it becomes your default way of working though, you really are asking for costly trouble.

Where does shadow IT come from?

The reasons shadow IT becomes an issue for an organisation are usually wholly innocent. They can also be a result of an understandable “the way we’ve always done things” mindset. For example:

  1. Lack of training – your team doesn’t realise that using personal devices or cloud accounts could cause huge cybersecurity problems.
  2. Lack of functionality – your current cloud tools, software, or devices don’t do what your team needs them to do to complete their daily tasks.
  3. Lack of sanctioned options – your team doesn’t have a tool they can use to, for example, securely message each other or can’t request a tool through proper channels.
  4. Lack of storage space – prompting the use of ad hoc unsecure storage.
  5. Lack of secure sharing ability – if your team needs to share files with someone outside your organisation but there isn’t a secure system that allows them to.

In general, shadow IT comes from situations where your team needs to create their own solutions in their day-to-day working life because the right systems or tech isn’t in place.

What are examples of shadow IT?

1) Unmanaged devices

This is the clearest example of shadow IT. Personal laptops are the most obvious, yet unmanaged devices come in all shapes and sizes, such as:

  • Smart devices like digital printers – or even doorbells!
  • Devices used by contractors or people visiting the site or office
  • New, ad hoc, or improperly configured Wi-Fi coverage or access points

Any device that has not been properly configured by your MSP (Managed Service Provider) or in-house IT team is unlikely to meet proper cybersecurity expectations.

It’s important to note that this does not mean that BYOD is bad. Proper BYOD policies are great – but employees need to have each device registered and configured by your experts.

2) Unmanaged services

Often overlooked are the unsanctioned cloud-based services that your team members use – often without thinking about it.

Examples include all of the following that haven’t been approved or aren’t monitored by your MSP or IT team:

  • Instant messaging apps
  • Videoconferencing software
  • Project planning software
  • File-sharing software or services
  • Testing environments

What are the risks of shadow IT?

  1. Data breaches – data on shadow devices or services is unlikely to have the correct protection in place. Where is your data being stored or processed? You don’t know.
  2. Exploitation – by scammers, cybercriminals looking for a way to get malware and ransomware onto your system, or even having devices incorporated into botnets and worse.
  3. The unknown – because the extent of shadow IT is by definition unknown, it is a risk that can be impossible to assess.

How to handle shadow IT

1) Understand it’s probably not deliberate

Shadow IT isn’t malicious. It’s the result of IT policies that aren’t strong enough or aren’t properly applied or thought through.

It can also point to team members who have yet to receive proper training in the importance of cybersecurity.

2) Don’t blame your team

An easy way to let shadow IT proliferate is to come down hard on team members who come forward. This way, people may continue to do it, they just won’t tell you about it.

Workplaces with good IT systems and practices that meet the needs of their team – and that have proper cybersecurity training – don’t tend to have problems with shadow IT.

Shadow IT can be seen as a helpful sign that your systems need to be carefully re-examined to fill in gaps.

3) Build a better IT culture

If you have processes in place that allow your team to offer feedback on productivity bottlenecks and other issues your tech causes, you are on your way to having a healthier culture around IT.

This should also involve team cybersecurity training. Training makes it clear that shadow IT is a big no-no and underlines the fact that people who come forward are actually helping you.

With an active, engaged team that is aware of the issues, you may even be able to prevent a shadow IT situation from arising in the first place.

4) Get a trusted partner

A Managed Service Provider specialising in cybersecurity solutions will be able to offer Shadow IT Management to make sure your people can still do their jobs, while all the risks of Shadow IT are minimised, and you stay compliant.

Who needs Shadow IT Management?

Any company that tries to get certified with IASME Cyber Assurance or ISO27001 needs this covered in order to achieve their compliance.

Any company that works with sensitive data should look into Shadow IT Management as a form of protecting their clients and their business.

Any company of 40+ users should consider Shadow IT Management to help organise the potential risk (and chaos) caused by that many users staying ‘in the shadows’ of their IT systems.

Do you think you may need Shadow IT Management?

Book a commitment-free meeting with Chief Geek Gildas Jones if you want to chat about shadow IT and your business.

Full Shadow IT Monitoring is included in the price of Protect & Grow Plus and Premium.

That’s not to mention help you set up better systems and processes, creating an IT culture that’s happy, healthy, and productive.

ALL ARTICLES