Shadow IT is a dramatic term, but it refers to a concept that is usually quite ordinary. It means any IT equipment, software and services that people use for work purposes without an organisation’s IT or security staff knowing about them. An example is a staff member forwarding work emails to a personal account or storing work documents in a private file-sharing account. Another example is a team running a project on an unapproved software-as-a-service platform.
People don’t usually use shadow IT with bad intentions. Often, it’s done to help them work faster and be more productive by getting around restrictive company policies, or to solve issues that are too slow or difficult to resolve with the tools the company provides.
The problem with shadow IT is that it impacts the company’s security posture. It can increase cyber security risk and make problems more difficult to fix. If an IT or security team doesn’t know that a system is being used, they can’t monitor it, provide security updates for it, or respond quickly if a problem arises. If the system is compromised by malware or a security breach, the company may not know until it’s too late and data has been stolen.
Data leakage is another problem caused by shadow IT. Sensitive files may be spread across multiple platforms, some of which lack appropriate security controls. They may also be shared too broadly, leading to unapproved people being able to see them. This can create a messy environment in which many copies of a file exist outside the corporate environment.
Shadow IT can also have serious legal and compliance implications. Many organisations are subject to privacy laws, contractual obligations, and regulations. If sensitive data such as financial or personal information is kept in an unapproved system, the organisation could be in breach even if no incident has taken place. There could also be insurance or regulatory implications if an incident does occur.
Shadow IT is often used because an organisation’s processes have not kept pace with how people work. If staff need a new tool but the request and approval process takes too long, people may try to find their own solutions. Policy alone is not sufficient to solve the problem of shadow IT.
For many organisations, it may not be practical to eliminate the use of shadow IT completely. Technology changes quickly and people are creative about find their own ways to solve problems when the need arises. Gaining a better understanding of where business processes and tools can be improved, and how people need to work, may produce better results than trying to enforce a total ban on shadow IT without other changes.
Managing and limiting shadow IT
This is not intended to be a comprehensive list but provides some useful points to consider.
- Make visibility a priority. Understanding the landscape is important. Use monitoring systems like network logging and tools to help identify shadow IT in use before taking action.
- Create a fast pathway for approvals. Make it easy for staff to request new tools and provide clear timelines to keep them updated.
- Align tools with how people work. The usage of shadow IT can give the organisation useful feedback about capability gaps in existing tools and processes.
- Keep a catalogue of available tools. Publish a list that lets staff know what’s available and how they can access it.
- Educate staff about shadow IT. Use practical examples to help them understand risks like data breaches, and the implications of non-compliance.
- Prevent the use of personal accounts for work reasons. Restrict, if possible, or discourage the practice of logging into work systems with personal email accounts or other unmanaged credentials.
- Maintain strong identity and access management. Implement single sign-on (SSO), multi-factor authentication (MFA), and conditional access for enterprise and software-as-a-service platforms.
- New Zealand Government agencies must ensure their systems and practices are compliant with the requirements of the New Zealand Information Security Manual.