What is Shadow IT?

By Allen Bernard, Business Technology Journalist

The problem of unknown and unapproved applications running in your organization will only get worse if you don’t know what to look for or how to stop it.

In its most basic form, the term “Shadow IT” describes the procurement and use of hardware, software, or service technologies such as telecom connectivity, without the knowledge or approval of an organization’s IT department.

While this is a common, everyday occurrence at companies large and small, it is a huge, costly problem for IT and the finance department. In large enterprises, Shadow IT accounts for 30% to 40% of its total technology spending; 83% of employees store company data on unsanctioned cloud services; and, according to Gartner, 33% of cyber attacks will target Shadow IT in 2021. And the problem has only gotten worse since the COVID-19 pandemic began in early 2020 because of the number of people working remotely.

There are two main drivers of Shadow IT: busy IT departments that are spread too thin to deliver the services and applications their organizations need to stay competitive, and easy access to cloud-based applications that can be purchased with a credit card. 80% of workers admit they bypass IT and use unsanctioned cloud services.

Even though the impulse behind Shadow IT may be noble – managers and line of business leaders doing what they can to help their teams meet their goals – the fallout in terms of cyber security incidents, compliance lapses, the accounting and financial impact on IT specifically, as well as the organization at large, can be quite costly.

Shadow IT makes it impossible to understand where technology expenses should be allocated (which has a major impact on yearly budgeting), who is spending the money (and why), what is being purchased, and the business benefit (if any) all of that spending provides.

If the spending bypasses IT and goes against departmental P&Ls, for example, they may end up overpaying for technologies and connectivity services they could have procured through existing IT contracts with pre-approved vendors.

If the spending is wrongly allocated to IT, then its budget is negatively impacted and they get the blame for overspending on their budget. This can lead to animosity (and a lot of finger-pointing) between the business and IT over who should be responsible for the organization’s overall technology spend.

Correctly coding and allocating the expense to IT or the proper department provides visibility into the true, all-in cost of technology, allowing for more strategic budgeting.

In one recent engagement, for example, One Source uncovered that a client had 25% more locations that they did not realize were still active and that they were paying for, causing dramatic expenses in yearly wireline connectivity costs. Because IT was unaware of the spending, it went unchecked as these locations were shut down in favor of new ones.

Cyber security gaps

The lack of IT oversight caused by Shadow IT leads to glaring security holes in an organization’s defenses. A misconfigured  SaaS app can expose company data on the internet, free to anyone who knows where to look. In other instances, the service provider itself is not secure – particularly if they are a newer player in the market.

What most users don’t realize when they engage with a cloud provider is they are also engaging with all of that provider’s employees, its third-party network of suppliers, vendors, customers, and partners. This expands the attack surface exponentially as hackers routinely use third parties to conveniently infiltrate the network of their primary target, i.e., your organization.

Compliance with industry and government regulations can also be put at risk. This is particularly true for companies doing business in healthcare, the State of California, or the European Union – all whom have stringent privacy regulations around personally identifiable information and level hefty fines to violators. Not knowing that you are in violation of these regulations will not save your organization from penalties.

How to keep Shadow IT under control

There are three main ways to control Shadow IT. It starts with conducting a thorough audit of the software and services your organization uses. This can be done using automated discovery tools, but you should also talk to your employees directly. Ask them what software and services they are using and make it clear they will not be disciplined if some of those are unapproved by IT. You can also follow breadcrumbs left by helpdesk tickets. They will tell you with a great degree of accuracy what software and services are in use.

Once you get a handle on the degree of Shadow IT in your organization, you need to figure out if you want to keep it and, if so, who should pay for it. Transferring all technology-related expenses to IT ensures IT will regain control of data flows and compliance, but it will inflate IT’s budget and increase their workload.

Lastly, you need to create controls and policies, such as no software or services can be purchased without IT’s approval, and be ready to enforce them. Well-intentioned policies that are either too arduous for employees to follow or too hard to police will be ignored.

At One Source we’ve helped hundreds of clients get a handle on Shadow IT. We can do the same for you. We merge technology, industry knowledge, and a dedicated team of skilled professionals to give our clients the hands-on attention they need. We manage everything for you so can focus on your business, not technology.

Want to learn more about the impact Shadow IT has on your organization?

Download our eBook to learn why digital transformation is leading to greater IT financial accountability and how you can mitigate Shadow IT.

Share this blog:   

Latest blogs

Sign up

Join our mailing list to get updates on our blogs.