Shadow IT: How to Stop Your Employees From Going Rogue

Join the dark side! When employees run into limitations in corporate IT setups or clash with security guidelines, they may go outside approved channels to achieve their goal. The term shadow IT refers to the use of applications, services and devices that are not provided and approved by the IT department. The problem with these creative workarounds and unofficial solutions? They exist outside your managed IT environment, leaving admins unable to assess their safety, track risky behavior or enforce compliance standards. In this article, we are going to discuss the problems and root causes of shadow IT usage and explain what companies can do to protect themselves.

What Is Shadow IT?

Shadow IT describes the unapproved use of information technology in an organization, e.g. employees who install new software on their PC, upload files to private cloud storage or send work files to a colleague’s personal smartphone. Users generally employ these kinds of workarounds to address a missing functionality (“There is no official way to do this”) or complete an urgent task (“Doing it the official way takes too long”). Whether these limitations are real or perceived doesn’t matter, what’s important is that users feel like they face a barrier.

If the term shadow IT sounds spooky, that’s because the unsanctioned use of IT carries some major risks. Since these creative solutions are implemented without oversight or professional tech support, they can expose sensitive data, introduce new vulnerabilities and risk privacy & compliance violations. However, it’s important for companies to realize that responding to shadow IT with bans and punishments is not an effective solution. The recurring use of unauthorized apps and devices is typically a symptom of a larger problem: Your users seeing the approved IT environment as insufficient.

Examples of Shadow IT

Shadow IT takes many forms and can include desktop software, web apps, cloud services and even personal devices. The scope of shadow IT can range from a single individual looking for a quick-fix solution to an entire department installing an unapproved application so they don’t have to wait for the IT team.

Examples of tools, applications and devices that are often deployed as shadow IT:

  • Messaging services like Slack, Skype, Discord or WhatsApp

  • Collaboration suites like Google Docs, Notion or Zoho

  • Cloud storage platforms such as Dropbox, Box or iCloud

  • File sharing tools like WeTransfer or Megaupload

  • Project management tools like Trello or Asana

  • Storage devices like SD cards, USB flash drives or external hard drives

  • Personal mobile devices, including smartphones, tablets and notebooks

Reasons for Shadow IT

In general, the reason staff members turn to unauthorized solutions is because of some perceived barrier between them and the task they’re trying to accomplish. This can be due to a missing functionality, i.e. a capability your approved IT stack does not offer. Often, however, the driving force for employing a quick-fix solution is a combination of stress, frustration and less-than-ideal circumstances.

One common factor that contributes to shadow IT usage is time pressure. Say a coworker is visiting a business partner at their office, an urgent question comes up, but your colleague realizes the file with the answer is in a sensitive folder that blocks remote access. There are ways to solve this problem without breaking IT policy, for example by calling someone on their team, asking them to export the needed data into a new file and sharing that. In a rush, however, your coworker might skip these steps and simply ask their colleague to send the missing file to their phone.

Another reason that frequently leads to shadow IT are conflicts between different services. Imagine your entire office is using OneDrive to collaborate on files. Everyone is on the same page, everyone knows how it works. But then the design department starts a project with an outside agency. Instead of OneDrive, they use Google Docs. Switching back and forth between the two is getting annoying, so to speed up the workflow, your team starts uploading files to Google as well. And whoops, suddenly that data is outside your control.

Risks of Shadow IT

While insider threats and employee data theft describe the deliberate abuse of IT systems, employees who rely on shadow IT tend to do so with good intentions: they are trying to fix a problem and want to do so quickly, by themselves and without bothering anyone else. However, while shadow IT generally starts out innocent, it can still lead to massive issues for the organization.

The problems shadow IT creates in an enterprise context include:

  • Compatability chaos: When teams add new apps and services without central oversight, they often pick different tools for the same purpose. Each department ends up with their own preferred solution and collaboration becomes much more difficult.

  • Wasted time: Ironically, while shadow IT often takes the form of quick and dirty solutions, dozens of people creating their own unique workaround ends up taking longer than the one time effort it would take to come up with an official solution.

  • Stranded data: The problem with specific groups adopting their own methods of storage and file sharing is that other teams who could benefit from the data in question are either unaware it exists or have no idea where to find it. Instead of being actively used, company data ends up being siloed off in decentralized platforms.

  • Leaks & data loss: Even worse than data being abandoned in various cloud services is the threat of employees accidentally exposing sensitive data through these services or being caught in a data breach without even realizing it. Without IT oversight, there is simply no way to know what your staff is sharing on these platforms.

  • Security risks: Joining online services creates opportunities for credential theft and business email compromise. By installing new software on their PCs, employees introduce new vulnerabilities for hackers to exploit. Your tech staff can’t mitigate these risks if they don’t know about them. Even worse, your users may download malware directly if they fall victim to spoofed sites, typosquatting or malicious ads.

  • Compliance violations: IT regulations like HIPAA or the GDPR require companies to restrict and control access to sensitive data. Sharing information on unauthorized channels or personal devices can become a legal problem and lead to fines and other punishments.

How to Deal With Shadow IT Effectively

Given the many risks and downsides to shadow IT, it’s understandable that businesses are wondering how to get this problem under control. The main issue with shadow IT is that blocking or banning individual apps is only going to work as a short-term solution. Without addressing the root causes, your staff is simply going to switch to another workaround. But don’t worry: our guide is going to give you effective answers for how bring shadow IT back into the light.

1

Recognize Your Users’ Underlying Need

The kinds of workarounds your staff use can help you identify issues with the official tools and workflows you provide them. If people continously send each other Doodle links, for example, it can be a sign that you need to make scheduling meetings more convenient. For instance, you could make Outlook calendar data available so people can see when their coworkers are free or busy. If you ignore the reason why your users are looking for alternative solutions, people will continue to go the unapproved route no matter how many tools you block or ban.

2

Establish Realistic Guidelines

The truth about shadow IT is that some amount of rule-bending and unauthorized behavior is unavoidable and ultimately harmless. While some networks depend on maximum security, air-gapped devices and the total separation of personal and professional devices, most of us don’t work in top-secret government facilities. We work in normal offices where our coworkers sometimes send each other quick work-related updates on private messaging services.

That’s why businesses with realistic expectations are usually more successful in dealing with shadow IT: Instead of trying to eliminate every shortcut, it’s more productive to educate your users on where to draw the line between acceptable and unacceptable workarounds. Like jotting down to-dos from a meeting on your phone on the one hand vs. uploading enterprise files to personal cloud storage on the other.

3

Eliminate Barriers to Improve Compliance

It’s human nature to follow the path of least resistance, so if the correct way to solve a problem is complicated and time-consuming, your employees are always going to be tempted to work around the approved tools instead of with them. That’s why one of the best approaches you can take to stop your staff from turning to shadow IT is to make sure that the right way to do something is also the easy way to do something.

Depending on the circumstances, this may require you to introduce new tools to your IT setup to provide your team with options they were clearly craving. Or it might mean switching out software with poor usability for more intuitive solutions. Eliminating barriers can even take the form of delegating IT tasks to non-IT users. Outsourcing certain responsibilities – with the right technical setup, of course – can provide your departments with faster access to services they would otherwise have to call support for.

4

Empower Your Users With tenfold

If you want a convenient way to provide your users with quick and easy access to the IT services they are looking for, tenfold is the tool for you. Not only does our IAM solution allow you to automate user management and permission management, it also comes with a self-service platform that allows your employees to reset their own passwords, request access to new resources, or set out-of-office messages for their coworkers. You know, the kind of small pain points that drive users towards shadow IT.

The best part? All these requests can be approved directly by team leads or managers within the same department. No more waiting to hear back from IT, you can solve the problem immediately and without leaving your office. And from a security side, tenfold guarantees that all changes are properly documented for later review. This way, your tech staff still knows what’s going on.

If you’d like to learn more about tenfold, watch our video overview for a quick introduction to our most important features. For an even more detailed look, you can sign up for a free trial to experience our revolutionary IAM platform firsthand.

tenfold demo video

Protect Sensitive Data From Unauthorized Access

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.