.svg){kind=small}
by Matt Huber
First Published Oct. 2018. Updated Mar. 2024.
Shadow IT carries with it some huge risks that—if not taken seriously—come with serious consequences. At the most basic level, the possibility of not knowing about a software, service or technology in your stack creates a gap in coverage or exposure in your security program.
To better understand shadow IT, let’s start with a hypothetical scenario:
Jon is the collaboration manager for XYZ Corporation. Sally helps direct the IT portfolio, determining what products the company should and should not use. After some research and cooperation, Jon and Sally agree that Microsoft Teams is an excellent workstream collaboration tool to help break down organizational silos and encourage information sharing.
Months go by and Teams gets good use in certain areas of the company. Meanwhile Derek in Sales decides that Slack has some functionalities that would help enhance his productivity. After seeing how easy it is to create a Slack workspace, Derek, along with his sales team, starts using this alternative platform without the approval of Jon or Sally.
This Is Shadow IT.
Jon and Sally don’t know that Derek introduced a new platform within his team, and had no chance to implement the controls and safeguards that the other approved applications in the IT Portfolio have.
The existence of shadow IT within the organization raises three key questions:
- Why does it matter?
- Why don’t we let our employees choose a collaboration tool that might be faster, better or cheaper?
- What’s the big deal, can it really do any harm?
This guide will help navigate some of the risks associated with Shadow IT, and how to make the most of these situations when they arise.
Why Does It Matter?
Any time there is an unendorsed technology solution in use within an organization, there is a significant gap in coverage that creates increased exposure in your security program.
What if Derek were to share competitive insights and sales forecasts with a colleague who exfiltrated that information before leaving for a competing company? No one would be aware, and this could eventually damage the company. And in highly regulated industries, sharing sensitive information in collaboration can have significant compliance implications.
Other Tools May be Better, Faster or Cheaper—So Why Shouldn’t Employees be Allowed to Choose the Platform They Prefer?
Implementing multiple collaboration tools isn't necessarily a bad thing. Over 90% of organizations use at least two and 85% use six or more. It's when those tools aren't properly managed and moderated that they introduce risk to the organization.
An organization that permits employees to use whatever collaboration platform they want also needs to get to grips with how it will secure all those different spaces. Legal and IT departments may find themselves without sufficient oversight. Or they may have to log into multiple different locations to create rules and respond to incidents. This makes collaboration security management much slower, more granular and less effective than using one or two authorized tools.
Companies that adhere to PCI, HIPAA or GDPR compliance face additional burdens when it comes to securing collaboration. Not only are violations damaging from a reputational or data loss perspective, but they often come with significant fines and penalties attached.
Ultimately, any “shadow IT” solution that takes hold within a company will eventually become business critical —but lack requirements demanded by the business, such as high availability, redundancy and disaster recovery.
What is the Big Deal, and Can it Really Do Any Harm?
Your employees want to do their jobs effectively. Collaboration tools can accelerate communication and break down internal silos that otherwise slow work down. As such, the implementation of shadow IT is rarely malicious. However, it can still do serious harm to the company and its employees by opening the door to data loss and regulatory noncompliance.
- HIPAA fines in 2020-21 reached all-time highs, and to date HIPAA fines have cost noncompliant practitioners more than $133 million
- PCI non-compliance can run from $10k to $100k USD per month, depending on the circumstances
- GDPR non-compliance can range up to 4% of a company’s global revenue or €20 million, whichever is greater
These regulations exist to protect consumers, and employees may inadvertently harm them or their coworkers by using unapproved software.
Where to Go from Here
For one, understand what software your employees are using. Listen to them and survey them; understand what works and what doesn’t. If they are using an unendorsed "shadow" collaboration platform, then assess why, and consider how to make them successful within the organization. Don’t scold or penalize employees. Once an application is brought into the organization’s IT portfolio, make sure it’s held to the same standards and baselines that your other applications are held to.
There are many ways to stay on top of shadow IT, but one solution is by pairing Aware with the platforms that people want to use—giving your employees the tools to collaborate effectively and securely.
