enterprise security

SecurityTrails Blog · May 18 · by Sara Jelen

Shadow IT and Its Security Risks - Managing the Unseen

Reading time: 10 minutes
Listen to this article

Cloud computing is beneficial. Many organizations already know this and are reaping the benefits cloud adoption has brought them: reduced IT costs, scalability, collaboration efficiency and, above all else, flexibility in accessing storage and software to meet their needs. Users can now more easily engage services and solutions that will make their everyday jobs easier.

That flexibility, however, is a double-edged sword. And you might be wondering how it can possibly be a bad thing—especially when it makes everyone work more efficiently. The thing is, many of those solutions and software your employees gain access to aren’t under the governance of your IT department. While IT usually enforces policies that dictate the software, hardware and other resources used within the organization, with oversight regarding how they’re used, the introduction of cloud computing means users can much more easily access resources they need with limited visibility from IT.

So yes, using these resources can improve productivity, but their introduction without the governance and approval of an organization’s IT department can lead to numerous security risks, data loss, non-compliance and exponential growth of the attack surface.

What is shadow IT?

When something is in a shadow, you don’t know what it is. You don’t know if it’s malicious or completely harmless. How can you even begin to handle and manage something for which you have no overview?

Well, your organization’s IT has its own shadow. It’s appropriately named “shadow IT”.

Shadow IT is the use of systems, devices, software, apps and services without approval from an organization’s IT department. Most users who employ unauthorized solutions don’t do it with any ill intention but to be more productive at their job.

Shadow IT can include:

  • Hardware and physical devices - smartphones, tablets, IoT, flash drives, external drives
  • SaaS, PaaS, IaaS, and other cloud services - productivity apps, messaging apps, cloud storage
  • Data repositories such as spreadsheets with internal data
  • APIs
  • VPNs
  • Commercial off-the-shelf software

Shadow IT is not all bad, though. While some may view it as a potentially dangerous nuisance that needs to be addressed and prevented, others see it as an innovation-driver and the natural manifestation of an ever-changing business environment’s constant need to catch up. No matter what your stance on shadow IT, it’s here and it’s staying.

Know the Internet surface area of your organization:

With no obligations, or credits cards. Available for a limited time:

Get your Free Attack Surface Report

Why is shadow IT so prevalent?

If there are employees in an organization, there is shadow IT. Statistics show that 80% of end users use unapproved software and services. There was a time, under the shadow IT umbrella, when we saw a lot of software that impatient employees had downloaded and used, but it wasn’t as prevalent as all of today’s packaged software nor as easy to engage. Definitely not as easy as a click of a button—which the adoption of the cloud has introduced. Shadow IT now includes personal technology and devices employees bring in, which is propagated with remote work and BYOB policies.

Rapid growth of the business landscape has increased the need for additional applications that can make employees’ daily tasks easier and more efficient. With numerous businesses, productivity, storage, automation and other applications available in the cloud, they drive innovation, productivity and efficiency. It’s easy to see why they’re so enticing and why employees don’t hesitate to download and employ these apps.

Some corporate solutions might not only be incompatible with users’ devices, they might also be slower, outdated and less effective. Combine this with the often long and tiring process of seeking approval from an IT department, and we can begin to see why shadow IT is continuously growing.

One thing is certain: shadow IT is inevitable, so it wouldn’t be fruitful to “fight it”, but to understand its risks and the appropriate way to manage it.

Risks associated with shadow IT

There are numerous cybersecurity risks associated with unmanaged and ignored shadow IT in an organization, and some of the more prevalent are:

Risk Associated with Shadow IT

Lack of visibility

Certainly the main security risks of shadow IT are the lack of visibility and control over an organization’s network and infrastructure. And lack of visibility is what actually causes all the other risks here: it opens up numerous access points for malicious attackers to exploit.

Without seeing and managing all parts of their infrastructure, IT teams are unaware of activity and interaction with their resources, whether they’re secure, and what kind of data is involved and potentially exposed.


Organizations are subject to various laws, regulations and standards—and failure to adhere to them can result in lawsuits, fines, brand reputation and loss of business. Introduction of shadow IT and the use of unmanaged apps and software can make it harder for organizations to comply with all of those regulations. In fact, the mere use of shadow IT itself can be considered a violation.

Data leaks

Any application has its own privacy controls and security measures. Sometimes their security is up to par with an organization’s usual requirements for approved IT, but other times they can be riddled with vulnerabilities, through which malicious actors can gain access to users’ data. Even if an app has good security controls, not all employees are tech-savvy enough to know how to use it securely. Maybe there’s a vulnerability—and even with a patch issued, who can guarantee that employees would perform regular updates?

When no one manages shadow IT, apps and services transmit and process unsecured data, which can cause data leaks and much worse.

Increase of attack surface

An organization’s attack surface is its entire network and software environment that’s exposed to malicious attackers. It also refers to all of the ways in which your apps can be exploited by them. And it of course includes shadow IT—the more apps and services involved, the greater the attack surface and number of entry points your network offers to attackers.

Benefits of embracing shadow IT

Shadow IT isn’t all bad. Employees who venture out and search for apps and tools outside of their approved scope do so out of a desire to be more productive and efficient. They might even discover apps that will then be used by an entire team and prove to be quite beneficial. So beneficial that, sometimes, their use outweighs the risks.

Now that we’ve gone over the best ways to manage shadow IT, let’s see why we should. Here are a few of its benefits:

  • Reduces the IT department workload: It’s not uncommon to see overworked and overwhelmed IT departments trying to keep everything running while putting fires out as they go. And adding to that the approval of requests for new solutions can prove too much to handle. Embracing shadow IT, however, would give users pre-approved solutions or the tools to create their own, removing the burden from an IT department who can then focus on more critical tasks.

  • Improves employee satisfaction and productivity: Properly managing shadow IT can empower employees to use their preferred tools, and give them the satisfaction of being productive at their job. When employees use their preferred technologies, they’re not only more productive, but also more engaged and likely to stay at the company for the long term. Nurturing your team’s satisfaction and giving them access to the resources they need to do their best can come easily with properly managed shadow IT.

  • Drives innovation: One of the most common reasons employees turn to shadow IT in the first place is that instead of waiting for valuable new applications, they’d rather build their own. So by providing the tools needed to create their own solutions, users will get the applications they need without making requests to IT. Even non-specialists will be able to craft efficient, cost-effective solutions without the need for third-party proprietary tools.

Manage shadow IT risks

The bottom line with shadow IT is that you will never be able to stop it. It’s here to stay and you should embrace it. What you shouldn’t embrace though, is the risks it carries. Managing the risks of shadow IT can allow your employees to have all the tools they need to be productive and you will be able to avoid most of the risks associated with it. Here are some of the ways you can manage shadow IT risks:

Manage Risk Associated with Shadow IT

Educate your employees

One of the best ways to address shadow IT is by addressing the main users of shadow IT. Educating your employees about the dangers and consequences of using unapproved and unknown software and apps. Nurturing a cybersecurity culture of awareness will help users find a way to fulfil their technology requirements without bypassing protocols, and will aid organizations in understanding what those needs are so they can help and provide options.

Make sure users have technology they need

While educating and creating awareness among users, organizations can learn what type of technology employees need more of, and what existing solutions make users turn to another direction and find alternatives on their own. The main reason why users turn to shadow IT is because the offered tools and software don’t allow them to work at their best, so make sure you nurture a nature of open communication where you can hear about what the users actually need. Additionally, the process of vetting an application and finishing the approval process should be more painless. This way employees will gladly report new apps they think should be approved and added and new technology can be added/removed quickly, to accommodate business needs as well.

Establish guidelines around permitted technology

Once you’ve addressed technology needs of your users, the next step would be to establish guidelines around approved software, applications and devices. As mentioned, a structure that allows for an efficient vetting process and making new technology available to users fast, and respond to their IT needs. The details of the guidelines should be clearly communicated with everyone in the organization to ensure every user knows what’s allowed and safe, mitigating security risks of unapproved apps.

Prioritize risk

Once you’ve detected your shadow IT infrastructure it’s time to prioritize. The bottom line is that we are mitigating risk. Not all applications and devices pose the same risk and are targeted by attackers with the same likelihood. Known assets on their own already need attention and framework to handle and secure, discovery of shadow IT assets will only add to the burden. This is why prioritization based on the risk will help guide your shadow IT strategy. Some of the most tempting targets in your shadow IT are those assets directly exposed to the internet, those not behind your VPN and firewall, and they should be addressed first.

Use tools to discover your shadow IT infrastructure

Embracing shadow IT but not the shadow itself is crucial. Visibility is the main reason why shadow IT can be dangerous so detecting unapproved app usage will help guide your strategy and allow you to minimize potential consequences. Use solutions to monitor your network for anomalous behaviour, known and unknown devices, to know how resources are used and other indicators of shadow IT. Proactive discovery of shadow IT will allow you to be completely aware of your attack surface, and prevent potential attacks.

Shed light on your shadow IT with ASRv2

Our Attack Surface Reduction v2 platform can increase your awareness of your internet-facing infrastructure by providing you with a detailed digital inventory of all critical and shadow assets.

With our simple and automated asset analysis, you’ll be able to detect and understand different security risks these assets pose to your organization. And that’s not all—to be truly proactive about your shadow IT, you’ll also be able to detect any changes across your entire online infrastructure, and be notified when any new changes are made.

To ensure a good overview of your infrastructure, and if and where you have shadow IT, take advantage of our free ASR account. See the complete picture of your digital risks!

Sara Jelen Blog Author

Sara believes the human element is often at the core of all cybersecurity issues. It’s this perspective that brings a refreshing voice to the SecurityTrails team. Her ability to bridge cognitive/social motivators and how they impact the cybersecurity industry is always enlightening.