Shadow IT


Smartphone, fitness watch and smart coffee machine are quickly logged into the company’s wifi. Cloud services can be used to transfer large amounts of data easily. However, this behavior can pose enormous risks for corporate data security.

What exactly is shadow IT?

The term shadow IT refers to the use of IT systems, software and services within a company without explicit authorization or control by the IT department.

In today’s hyper-connected, digital world, companies are trying to keep up with the ever-evolving technological landscape. This drive for innovation is certainly essential to maintaining competitiveness for many companies, but it can have negative consequences should companies neglect essential security features – first and foremost IT security – in their drive for rapid development, process optimization or even increased profits.

The existence of shadow IT is problematic for companies if it arises over a longer period of time and without the knowledge of those responsible and becomes well established in the company. Nevertheless, organizations can also derive positive aspects from the existence of shadow IT. We will show what these are in the following blog article. We dive deeper into the topic of shadow IT and shed light on its causes, its effects and the measures that should be taken when dealing with shadow IT.

The development of a Shadow IT

As briefly mentioned earlier, shadow IT usually occurs when employees in a company use solutions, services, applications or tools that have not been provided or approved by the responsible person or IT department.

This can happen for a variety of reasons:

  • Needs are not met: Employees may have specific needs that are not met by the official IT solutions. For example, a certain function cannot be performed by the tool provided or the handling poses challenges for the user. Employees then often look for alternatives on their own to increase their productivity or optimize their work.
  • Flexibility and speed: Official IT processes can sometimes be slow, involving approvals and waiting times. When employees need to act quickly, they often turn to applications they already know and are familiar with, rather than waiting for the official solutions.
  • Easy access: With the rise of cloud services and readily available software, employees can more easily log on and use the applications that suit their needs without having to involve IT managers.
  • Lack of awareness of the problem: In some cases, employees are unaware that what they are doing falls under the category of shadow IT. They may see it as a workaround rather than a deviation from official processes.
  • Perceived bureaucracy: If the IT department is perceived as too strict or the processes are seen as too bureaucratic, employees may avoid going through the responsible instances or persons.
  • Lack of personnel: If the IT department is understaffed or the responsible persons are absent due to illness or are on vacation, employees may make their own decisions out of necessity and look for alternatives themselves, thus contributing to the creation of shadow IT.

It becomes clear that the reasons why shadow IT can arise are numerous. Very quickly – and often without being aware of it – every employee can contribute to the formation of shadow IT or to the spread of an already existing shadow IT structure. The following everyday work situations show how employees act outside the internal, secure IT infrastructure and what possible threats result from this.

Unauthorized cloud storage use:

To send a file attachment that is too large, employees use personal cloud storage accounts to transfer company information to another device.

  • Potential threats: Data leaks, loss of control over sensitive information, regulatory violations, lack of encryption, potential exposure to cyberattacks.

Messaging apps for work communication:

Various teams use unauthorized messaging apps, such as Whatsapp, to communicate quickly with each other.

  • Potential threats: Lack of end-to-end encryption, potentially insecure sharing of confidential data, lack of control over message storage, risk of malware spreading through file sharing.

Personal project management tools:

To better plan, control, monitor, and execute projects, departments use their own management tools.

  • Potential threats: Data fragmentation, integration difficulties, security vulnerabilities, inability to maintain consistent project oversight, compromised data privacy.

Unauthorized SaaS subscriptions:

Employees subscribe to unauthorized SaaS applications, such as Microsoft 365, for specific tasks.

  • Potential threats: Data breaches, Lack of data encryption, Limited visibility into third-party data processing practices, Risk of non-compliance with data protection regulations, Inadequate security settings, Lack of security update management.

What’s so dangerous about shadow IT?

These four examples alone show some of the potential threats that could arise from the presence of shadow IT. The problem with using shadow devices is relatively easy to summarize: You can’t secure what you don’t know about.

As a result, every device, every program poses a potential security risk to corporate data. If those responsible are not aware of their existence, they cannot take the necessary security or data protection precautions. For example, employees cannot be made aware of the specific dangers of individual technologies, data protection settings are not set, and security programs such as firewalls are not set up or are set up inadequately.

In general, the opportunities for cybercriminals to attack the company increases when additional programs and devices are used and the IT infrastructure becomes more complex as a result. This factor is significantly heightened when these applications are used unsecured.

Although shadow IT can also have positive effects on a company (promoting innovation, faster decision-making by employees or even research into new technologies), the risks outweigh the benefits.

In addition to the above-mentioned data security risks, the loss of data and control, or violations of compliance guidelines, additional costs can also arise for the company if, for example, different departments use similar applications separately from one another and thus pay twice for licenses or subscriptions. Productivity losses or scaling problems can also occur if the shadow IT is not designed for growth processes.

Dealing with and tackling shadow IT

If it is determined that shadow IT has become established in the company or is about to develop, measures should be taken. The goal should be to create a safe, efficient and productive working environment for employees. An analysis of why shadow IT has spread is recommended. Perhaps one of the reasons mentioned above is the root cause. Then, the motivations should be understood and the team should work together to solve the problem. This can be achieved by following these tips.

  1. Recognize and understand: It should be understood why shadow IT exists or why it has arisen. It is important to understand the motivations and address the needs of the employees.
  2. Open communication: Encourage the staff to share and discuss their needs openly and transparently with the IT department or responsible individuals.
  3. Education: Inform employees about the risks of shadow IT.
  4. Collaborative solutions: Work with employees to find solutions. Work with the team to find services, tools and applications that meet needs.
  5. Process optimization: Implement streamlined processes for rolling out new applications, approving new technologies, and deploying those tools.
  6. Regular audits and feedback loops: Conduct regular surveys to identify unauthorized applications and ask employees if they are satisfied with existing processes and applications.
  7. Updates: Keep the IT you use up to date to adapt to changing needs.
  8. Celebrate successes: Show your team why an application or solution should be used or what positive developments have occurred as a result of its use.

Related articles

  • BYOD – Bring Your Own Device

    Bring Your own Device refers to the use of private end devices at work. Usually, this means smartphones, tablets and laptops.

    mehr lesen
  • Cyber Security

    Protection of information technology devices (such as computers or smartphones) and systems against the dangers of decommissioning, manipulation or outflow of data through the cyberspace.

    mehr lesen

Are you curious?

Test us for 30 days free of charge and without obligation.

We empower your employees to actively contribute to your company’s cybersecurity.

See for yourself how easily and quickly Perseus can be integrated into your corporate structure.

Test now for free

Do you have any questions about our services?

Do not hesitate to call: + 49 30 95 999 8080

  • Free trial period
  • Without obligation
  • Video training for cyber security and data protection with exam and certificate
  • Try our phishing simulation
  • IT security check, malware scanner, data security check and more
  • Ends automatically after 30 days