Shadow IT: The hidden risk lurking in your business tech stack

What is shadow IT and why is it risky for businesses?

Shadow IT can look different from user to user, or team to team. Common examples include:

• Personal cloud storage and file-sharing tools, like Dropbox and Google Docs or Google Drive.
• Communication tools such as messaging apps like Whatsapp and personal email addresses.
• Productivity and project management tools such as Trello and Slack.
• AI platforms such as ChatGPT and Gemini.

Shadow IT Examples.

Why does Shadow IT happen?

Many instances of shadow IT usage follow similar patterns. An employee or team use the cloud service of SaaS tool in their personal life (or in a previous work life), it's easy to use and even easier to set up. Convenience wins out, and within a week you've gone from one employee using it at home, to a whole team adopting a piece of software, while the IT department has no idea it has been deployed.

And while employees and teams use shadow IT for many different reasons, there are common themes driving shadow IT usage.

• Ease and convenience: often shadow IT simply occurs because it's easy. It's what the user is comfortable with, and it solves their problem quickly. For example, a marketing team member might use Dropbox to share a large file with an external agency as they've used the tool in previous roles and know it's quick and easy. It is simply the convenient option.
• Internal approval is slow: Going through the approved, standard channels to request, reason, get budget and obtain IT approval for a new tool can be a long, slow process in many companies. The pace of internal approval processes can impact on an employee's project delivery timeframe, and for many taking the faster route of shadow IT is the easy, no-brainer option.
• Pressure on productivity: With the rise of remote, global teams, pressure on team productivity and communications has increased. The way teams communicate with each other and manage projects when they may not be in the office every day (let alone every week) has changed. But often, a business' tools have not kept pace with remote or hybrid teams' needs. A hybrid, cross-borders team might adopt a tool such as Monday or Slack as it meets their communication and productivity needs immediately, with low IT expertise required to get it deployed. They're up and running in minutes, after just creating a login and completing credit card details.
• External partners: Sometimes overlooked by employees, are requests from external partners. Examples of this include file-sharing and collaboration on software that is not approved or monitored by their own IT. While this might be seen as just doing your job and working with a business partner, just like any other instance of shadow IT, it does come with risks.
• Consumerisation of IT: Tech is part of our lives, both work and home. Outside of work we use messaging apps to communicate with friends, productivity apps to manage the household juggle and AI to help us with anything and everything. With IT use being so easy in our homelife, employees expect the same at work. If work-approved tools are clunky and deliver a poor user experience, employees will seek out and use software that provides the experience they expect at the pace they need.

Why Shadow IT is risky for businesses.

Shadow IT can solve issues for employees and teams quickly. It can also invite a range of cybersecurity, compliance and data risks through the doors to unsuspecting businesses.

Cybersecurity threats from shadow IT:

When employees are self-installing and using unapproved apps and software, they go unmonitored and unpatched by IT. The result being an easy backdoor to your data for hackers. It's much harder for IT to prevent or respond quickly to attacks when they're unaware that a tool or software is in use.

Shadow IT and data breaches:

With software or tools going unmonitored by IT, businesses become increasingly vulnerable to data breaches. Either through usage of tools with low-grade security features, or through employees taking a more relaxed approach to security measures due to a lack of IT oversight. Data breaches courtesy of shadow IT can have a deeper impact on a company as the lack of oversight by the IT department results in longer timeframes to:

• unravel exactly how the breach happened
• understand what data is impacted
• work out the process to wind the clock back.

The result of this can be an erosion of client trust and significant reputational damage. Internally, an incident like this often deepens mistrust between your IT team and the employee or team at the centre of the shadow IT usage.

Shadow IT compliance risks:

The nature of shadow IT is that it's kept hidden. Which means that any data flowing through unmonitored software and tools is being stored outside of approved systems. A compliance (and security) nightmare. Depending on the situation and severity of any data breach, you could find your business facing fines of up to $10,000 in New Zealand and potentially more overseas.

Operational inefficiencies driven by shadow IT:

While shadow IT often enters your business because an employee or team are trying to increase their productivity, it can in the long run have the opposite effect. The team responsible for introducing a new (unapproved) piece of software might see productivity gains, but if the wider business is unaware of its usage and cannot access it, this can lead to fragmentation of work, duplicated work and data silos.

Financial implications of shadow IT:

While the company and your IT team are smoothly managing your wider tech stack and associated budget, other employees and teams could be driving up your total tech costs through subscriptions to shadow IT tools, hidden costs within these tools, and licensing issues. An example of this is duplication of costs, with multiple teams unknowingly paying for a subscription to software, when if the IT department had oversight, costs could be reduced through a volume discount or licensing.

In worst case scenarios, companies can get slapped with large financial penalties due to data breaches or non-compliance with industry regulations courtesy of shadow IT usage.

Shadow IT in your business.

It's not a case of if shadow IT is occurring in your business. Rather, it's a case of the extent to which shadow IT is happening.

Businesses that bury their heads in the sand and just ignore the fact that this will be occurring are increasing their vulnerability to cyber-attacks and financial implications. They're also more likely to be creating an IT culture that is not productive or beneficial for the wider company, teams, and individual employees.

If your tech stack needs reviewing (and you're too scared to look behind the shadows yourself), get in touch and our team can get the ball rolling for you.