What is shadow IT, and what risks does it harbour?

Shadow IT refers to hardware or software used within an organisation without the explicit approval or knowledge of its IT department.
This can range from individual tools or services to entire infrastructures used alongside the official IT environment. Shadow IT often arises because employees are looking for tools that make their work more efficient, and the official platforms and systems are thought to be inadequate or too complicated.

Shadow IT poses several risks for organisations:

• Security risk: unapproved tools may not have proper security measures, leading to data breaches, malware infections, and other cybersecurity vulnerabilities.
• Compliance risk: using non-compliant tools can be associated with a lack of documentation, an uncontrolled outflow of customer or other sensitive business data and potential violations of regulatory requirements such as GDPR, HIPAA, or other industry-specific regulations.
• Loss of control: shadow IT makes it difficult for an organisation to have a comprehensive view of its information, making it difficult to manage. The organisation may not even realise this is the case.
• Data loss: company data can be (unknowingly) lost or stolen.
• Creation of data silos: employees use different tools and platforms for the same tasks, leading to fragmented data, which can become inaccessible to the organisation.

Here are a few practical examples of shadow IT to make the term more tangible:

1. Using personal devices such as laptops, smartphones and external data storage devices for work purposes;
2. Using personal email accounts or unauthorised email clients (e.g. Outlook, Thunderbird) for work purposes;
3. Unauthorised note-taking or deployment of unauthorised project management tools (e.g. Notion, Trello);
4. Unauthorised messenger apps (e.g. WhatsApp);
5. Unauthorised services such as cloud storage, document management or file sharing tools,
6. and much more.

What causes shadow IT?

Employees either use shadow IT because they see too many disadvantages in using the official software or there are certain advantages in using unauthorised software. There are various reasons for this:

1. Employees are often unaware of the security and data protection risks associated with shadow IT and, therefore, believe the benefits outweigh the associated dangers.
2. The existing, official company software does not (entirely) cover the needs of employees.
3. Existing platforms and tools are too complicated, slow, or cumbersome to use, so working with them is perceived as a waste of time.
4. Employees feel too restricted or monitored and, therefore, switch to other private options.
5. Employees use their own devices and tools to inconspicuously pursue personal or unauthorised activities.

How can companies protect themselves from these risks?

1. Introduce security precautions in your organisation, such as access controls and data loss prevention (DLP) mechanisms.
2. Set up a VPN for your organisation, which needs to be used to access the IT infrastructure.
3. Address employees’ requirements, needs and wishes regarding specific features and tools.
4. Use intuitive and user-friendly platforms and tools (i.e. harness the power of citizen developers) to avoid implementing a solution that is suitable in theory, but that is avoided in practice.
5. Educate your employees about the risks of shadow IT with the help of training courses.
6. Sensitise new employees to this topic during onboarding.

How can organisations prevent the formation of shadow IT?

Get a lay of the land

Firstly, you should get an overview of the current IT landscape, including potential inefficiencies or functional gaps.

1. Which applications and services are officially used in the company?
2. Which capabilities overlap?
3. Which applications and services in the existing software suite are used frequently and which are not?
4. Are there capabilities which employees use their own solutions to address?
5. Does the company use software solutions that are considered inefficient, unsuitable or outdated for other reasons?
6. What risks do the deployed shadow IT solutions pose in terms of data security and compliance?

Check whether your chosen business software meets all requirements

1. Does the existing IT infrastructure cover all business requirements?
2. Are the current solutions user-friendly, efficient and tailored to the employees’ work processes?
3. Have employees already fed back on the chosen software’s functionality and efficiency?
4. Which software solutions should be kept?
5. Which applications and services need replacing?
6. What alternatives can be offered to employees?
7. Has a process been introduced for systematically recording and evaluating new software requirements?

Take appropriate measures

1. Establish clear IT governance guidelines and a straightforward authorisation process for new tools and applications.
2. Provide opportunities for employees to communicate their requirements, feedback and wishes to the IT department.
3. Sensitise your employees to the risks of shadow IT with training courses and offer support for using the company software.
4. Regularly tailor your software stack to the business requirements and needs of your employees and establish an agile IT strategy to react flexibly to changes in requirements.
5. Promote an open feedback culture and keep an open dialogue with employees about their IT needs and challenges.
6. Work closely with the relevant departments to identify new software solutions, as they understand the requirements best.

How no-code platforms help prevent the formation of shadow IT

There will always be IT-savvy employees who can handle complicated solutions. However, these individuals should never be considered the benchmark. The steeper the learning curve of the software solutions used in a company, the more likely employees are to use their own solutions.

Experience shows that unauthorised shadow IT solutions can quickly take on a life of their own within an organisation. As soon as the relevant employee leaves the company, it becomes impossible to meet transparency and security requirements. Identifying how and which data has been affected and which unauthorised in-house solutions have been used is a major challenge.