Data and Security

Shadow IT: Definition, Risks, and Countermeasures

16.08.2024
4 minutes read

Author: Talabuyev Y.

Gartner has estimated that over 40% of employees use technologies that are not managed by their IT departments, and by 2027, this figure is expected to rise to an impressive 75%. This refers to what is known as Shadow IT, which affects up to 57% of SMBs. Our article explores the origins of this phenomenon, the risks it poses, and how these risks can be mitigated.

What is Shadow IT and Why is it Dangerous?

Shadow IT refers to the use of information technology, digital devices, software, and IT services by employees without the approval of the company’s IT department. While Shadow IT is often discussed in a negative context, this is not always negative: employees frequently install third-party software or subscribe to services in an effort to perform their work more efficiently or with fewer resources. However, 76% of small and medium-sized businesses believe that Shadow IT poses a threat to their security.

The scale of this phenomenon is striking: nearly a third of employees have access to SaaS applications they used at a previous employer, and 65% of such services are implemented without company approval. Moreover, 55% of companies experienced security incidents last year directly related to SaaS applications.

Over the past couple of years, the situation with Shadow IT has become more complicated due to ChatGPT and other widespread AI tools: slightly more than half of those who use them for work purposes do not inform their supervisors, according to Microsoft data.

Examples of Shadow IT and Reasons for Their Spread

Shadow IT most commonly includes various SaaS applications (Google Docs, Dropbox, Slack) and other cloud services, as well as popular AI tools like ChatGPT. When examining this phenomenon in more detail, we can identify several groups of information systems that employees use without management approval:

  • Platforms for text and video communication (Zoom, WhatsApp, Telegram, Google Meet)
  • Data storage and sharing services (Google Drive, Box, Mega, OneDrive)
  • Planning and productivity tools (Trello, Asana, Miro)
  • Document editors (Google Docs, Microsoft Office 365)
  • Free password managers (KeePass, Keeper, Dashlane)
  • Survey and feedback collection services (Google Forms, Typeform)
  • VPN services (ExpressVPN, CyberGhost, Hide.me)
  • Learning platforms (Coursera, Udemy)

Employees often choose IT tools independently because those approved by the IT department are inconvenient, slow, lack necessary functionality, or don’t offer the required settings. Sometimes, the tools needed for effective work are simply not available. Additionally, most professionals are unaware of the risks associated with using unauthorized information systems and do not perceive them as a threat to the company.

Risks of Shadow IT and the Opportunities It Opens

The primary drivers behind the spread of Shadow IT include digital transformation, which has impacted all areas of business, the rise in cloud services, and the shift to remote or hybrid work models. Additionally, IT departments often respond slowly to the changing needs of employees and may not always be able to provide the necessary tools in a timely manner. As a result, employees prioritize work efficiency over security.

What Negative Consequences Can This Have?

  • The spread of malware, complicating the overall cybersecurity landscape.
  • Increased vulnerabilities that remain unnoticed by the IT department.
  • Data loss and theft (due to lack of backups or poor password management, such as storing credentials in Google Sheets).
  • Inability to centrally manage enterprise security.
  • Poor business decisions, based on uncoordinated tools.
  • Non-compliance with industry regulations, leading to fines or unexpected expenses.

Shadow IT is often used to reduce costs; however, this doesn’t always work out. In some cases, scaling these systems or services to the entire company can have the opposite effect. For example, a cloud storage service might be free for individual users, but the cost of a corporate license could be prohibitively expensive.

At the same time, there are positive aspects to the Shadow IT phenomenon. For instance, Shadow IT systems:

  • Enhance employee convenience and productivity, potentially leading to significant economic benefits for the entire company.
  • Reduce IT costs by utilizing free, publicly available tools.
  • Encourage innovation at the corporate level.

How to Create a Secure IT Environment in Your Company

Experts predict that by 2026, up to 10% of companies will adopt a zero-trust model, which assumes that all digital devices, technologies, and systems, both inside and outside the organization, are inherently untrusted (or unauthorized). However, this is just one of many components in a secure and centrally managed IT system.

Other steps to reduce the prevalence of Shadow IT include:

  • Continuous Monitoring: This allows for the timely identification of Shadow IT (devices, systems, and applications) within the organization.
  • Open-Door IT Policy: Develop and implement an IT policy that encourages management to be open to new ideas, suggestions, and projects.
  • Employee Awareness: Educate teams so that employees are aware of all potential risks.
  • Ongoing Training: Regularly train employees on secure work practices that align with industry standards and corporate requirements.
  • User-Friendly Environments: Create productive and convenient user environments, providing easy access to necessary resources and tools for effective work.
  • Account Management Optimization: Implement Single Sign-On (SSO) for streamlined account management.

Colobridge’s Expert:

“We recognize the issue of Shadow IT and offer our corporate clients cloud solutions that can help combat it. At the same time, we understand that this challenge requires not only technical measures but also significant changes in corporate culture and business processes. Our role is to provide modern cloud solutions and the necessary expertise (IT consulting for businesses, administration, and migration support).”

Learn more about how Colobridge’s cloud and infrastructure solutions can help create a secure and productive environment for your IT workloads and how to enhance data security within your company.

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

Tags
16.08.2024
4 minutes read
Back to top button