Shadow IT | What it is, why it matters, and how to fix it

A close-up photograph of someone's typing hand in dim light

New technology and applications are developed every day. Some of them may even make jobs easier. If you discover a program that improves your productivity, do you know the process for downloading a new app onto your work computer? Does a procedure exist? Does it matter?

If your internal or external IT team doesn't know when or what applications users download, you may fall into shadow IT. Shadow IT is a term used to describe IT work performed "in the shadows" without the knowledge of the IT team.

While user intentions may be good, shadow IT can pose a significant risk to users and their organizations. If users have access to download and update applications, cybercriminals can likely find access to disrupt your system.

WEBIT Services has served the greater Chicago area for over 25 years by helping clients build effective IT strategies and IT systems, all with a focus on education and partnership.

By reading this article, you will learn more about why shadow IT matters and how to prevent it.

What is shadow IT?

Shadow IT occurs when users take it upon themselves to correct IT issues, specifically downloading and updating applications, without the knowledge of their internal IT team or IT provider.

Typically, shadow IT is not malicious in intent. Instead, it's born out of users simply wanting to "get stuff done" and taking matters into their own hands. As a result, shadow IT is a symptom of poor IT support, response, and procedural boundaries.

Sometimes, the IT team is slow to respond to requests, so users try to solve problems independently.

For example, a user may contact the IT support team if they need a new editing application for a project due at the end of the week. However, if it takes three days for the support team to respond, how can this user accomplish their goal? In situations like this, a user may download the app on their own because they can't afford to wait.

In other circumstances, users may be unaware of proper downloading procedures and policies if they exist within the organization.

For instance, who do users speak to if they want to purchase a new app subscription? How does this purchase get approved? When and how is it added to the user's device?

Why does shadow IT matter?

Shadow IT poses several difficulties and risks to users and their organizations.

A chart with statistics about Shadow IT

What applications are being used, and are they compatible?

Some applications will not communicate with each other. Others have built-in dependencies and need other programs or tools to function. If these applications are not properly matched and updated, they can cause significant slowdowns or failures.

For example, two users must share large files for a work project. To save time, these users each download file-share programs without consulting their IT support team.

Employee A downloads one file-share application, while Employee B downloads a different application.

Unfortunately, these file-share programs are incompatible. As a result, the file transfers take a long time only to fail repeatedly.

This could have been avoided if:

  • The organization had an approved file-share application, so all users have the same program.
  • If the users had first contacted the IT support team for assistance.

Where is the application from?

Employees looking to save money may download a pirated or free version of the application. Unfortunately, applications from less-than-reputable sources may include disguised malware or open the door to other cyberattacks.

In addition, older, pirated versions of apps are unlikely to include security updates, leaving open vulnerabilities in your system. If a cybercriminal knows about a software vulnerability, they will exploit it.

As a rule, all applications must be downloaded from secure, reliable sources to reduce risk.

Shadow IT makes it impossible for leadership or the IT team to vet applications to ensure they are safe to download and use.

When was the application last updated?

Software developers will release a security patch if a new vulnerability is identified. In addition, application updates may also improve user experience with new features and abilities. As such, installing updates is a significant part of reducing risk.

Users who are involved in shadow IT may not track or apply updates. They may not be aware of updates or choose not to install them. Over time, this increases security risks and can lead to application incompatibility.

For instance, let's say that three employees all download the same editing software. Employee A has not updated the program once. Employee B updates when they remember, but not often. Employee C updates as soon as they hear about a new patch.

Over time, the patches profoundly change the functionality of the application. Now, Employee C can use the full scope of the application but cannot share or access files with Employees A and B because they are using older software versions.

When an organization partners with a quality internal IT team or IT provider, the IT team manages and applies software updates. This keeps everyone in the company on the same application version, reducing incompatibility issues and risks.

Who has permission to install applications?

In an ideal situation, the IT team will install and update applications at the request of users or the organization.

However, within a shadow IT situation, users may have full administrative authority within their devices. Administrative authority allows them to remove, download, or update applications at will.

Initially, this may seem like a great arrangement and display of trust. Users don't need to wait on IT or leadership to download new tools; they can do so with IT and leadership's full support and confidence.

Unfortunately, if a user has full access to their device and organization's network, cybercriminals can also gain access. If cybercriminals find their way onto that user's device or account, they can download files or upload malware to steal more data or launch cyberattacks.

To prevent shadow IT and unnecessary risk, organizations should enact appropriate permissions and processes for downloading applications. This means all employees—including the most trustworthy—must not have administrative authority on their devices.

Enacting processes and permissions is not about how much leadership does or does not trust employees. Instead, it's about building a secure, controlled environment to reduce risk.

Next steps to reducing shadow IT

If users are creating shadow IT, they are increasing risk within your organization. Shadow IT occurs when users begin making changes to their devices—particularly downloading applications—without the knowledge of leadership and their IT team.

Unnecessary risk is introduced when applications, updates, and processes are not approved or tracked.

In addition, the presence of shadow IT can decrease customer trust and satisfaction. If organizations do not know what's occurring within their environment, how can their clients trust them? How do they know that their data is safe?

To prevent shadow IT within your organization, you should:

  • Have policies, procedures, and permissions for IT use and educate employees on these boundaries.
  • Have a list of approved applications for your organization.
  • Ensure employees know who to contact about adding new applications.
  • Work with an IT team who performs proper system maintenance and software updates.
  • Work with a responsive, quality internal IT team or external IT provider that quickly addresses user questions and needs.

If your users experience productivity-affecting delays when working with your internal or external IT team, this may be a service red flag. Speak to your IT team to re-establish service expectations and the possible factors driving service delays.

If your IT provider's response times do not improve, it may be time to consider looking for a new IT provider.

For over 25 years, WEBIT Services has helped hundreds of clients develop and execute IT strategies to help their businesses.

Schedule a free 30-minute consultation to see if WEBIT Services can help.

If you're not yet ready for your free 30-minute consultation, you may be interested in these articles on factors affecting IT providers and services: