Cyber Security for Leaders: Shadow IT

Home    Blog    Cyber Security for Leaders
Cyber Security for Leaders: Shadow IT
breach, culture, data, malware, policies, shadow IT

What is “Shadow IT”?

If you’re picturing a nefarious looking individual skulking in the shadows, you’ve seen Shadow IT through the eyes of a cyber security professional, but that isn’t what Shadow IT is.


So what is it?

Shadow IT is a catch-all term used to describe when an employee “goes rogue” and procures (free or paid) hardware, software, or even a cloud service.

This can be as seemingly innocent as buying a copy of their favorite PDF editor or subscribing to a cloud storage service, like Dropbox. After all, everyone is busy, and the employee believes this will make them more productive.

Why does Shadow IT happen? It usually starts with an unhealthy relationship between the business and the IT group (either in-house or outsourced).

Whoa! Back up! Our IT group is full of wizards! Everyone loves them!

Consider yourself lucky. The relationship between IT and the business is generally fraught with friction, no-fly zones, and that one employee who always seems to have problems. Your team may love IT, but that doesn’t mean you don’t have Shadow IT in your organization.

Let’s get back to the why of it all. Simply put, it’s about resources and priorities. All businesses have limitations on their resources. There’s never enough budget. Never enough time in a day.


Do you see it now?

When someone in the business has a need, real or perceived, they typically approach IT with the request and an expectation that what they have asked for will be delivered.

Except in many cases, it won’t be delivered.

Budgets constrain the ability to purchase solutions. Human resources are expensive to acquire and scale to meet demand.

IT doesn’t see the need or value, and the request seems benign. The employee doesn’t bother escalating the need to their manager; “They won’t see the need or value,”, the employee thinks. The request is closed as “No Business Justification”.

Everyone carries on with their lives. Except the person who made the request. They’re not feeling their need was met. Do you smell that? That burning smell is the friction that just occurred between an employee and the IT group.

The saying goes, “Where there’s smoke, there’s fire.”.

The employee goes out and obtains what they needed, using a corporate credit card (or even uses personal funds). They have met their own need, “in the shadows”. And now we have entered a dangerous place.


What could go wrong?

What’s so bad about this, you might ask? There’s a litany of potential issues coming from this seemingly innocuous acquisition. Let’s look at a few areas where this could become a problem.

Where did this person find the software they acquired? Was it a “free” version? Will this be how your organization ends up with ransomware?

What is the license on the software? Did they buy a “personal” version and are using it at work in violation of the license agreement? Or did they use their corporate credit card and bind the company to a Terms of Service that the legal team would never agree to?

Data Breach
Cloud services can be extremely useful for sharing data between people, places, and organizations. But are there appropriate measures in place to protect that data from being leaked in a breach or through an accidental misconfiguration? After all, the service is being set up by someone who may not know how to secure it, because it just works for what they need.

How can IT support this? They didn’t procure it, deploy it, and don’t know anything about it. If the employee who procured the platform leaves the company, all of their work product could be lost.

I’m certain you’re now wondering; how do we fix this? We can’t have Shadow IT. This isn’t acceptable.


What can we do?

There’s no single solution to this challenge. What works for your organization may not work at another.

Here’s a few possible ways to reduce the probability of Shadow IT in your business.

Eliminate the Department of “No”

IT has a well-deserved reputation of being known as the “Department of No”. How can you build and foster a trusting, collaborative relationship between business-focused staff and the technical teams?

First, help IT staff understand that any challenge that an employee is facing is one that is worth solving.

Next, help non-technical employees understand that their needs should focus on the challenge that needs solving and allow the technical staff to present the software, hardware, or service that solves the challenge.

You will have buy-in from IT and the employee on the solution, and by focusing on the challenge instead of a specific solution, the best fit solution for the company can be found.

At this point, IT has a solution, and the business can decide how to prioritize the resources necessary. In many cases, with far fewer wasted resources trying to accommodate a plan developed without consideration for the IT structure of the organization.

Develop Strong Security Policies

Clearly written, strongly worded policies that are enforced can be an effective tool in reducing Shadow IT.

By stating what is and is not permitted in concise and understandable terms, your staff will better understand what is expected and not acceptable.

Many organizations struggle with effective security policies. Why? They’re often written by IT for non-technical staff and fail to consider business objectives. (Are you seeing the common thread here?) IT and the business need to be on the same page, on the same level, or at the same table. You pick the sentiment that works for your company.

Build a Strong Cyber Security Culture

One of the most difficult challenges an organization will face is changing its culture.

Culture changes must start at the top. The senior leadership of an organization must embrace cyber security and practice strong cyber hygiene habits.

By showing employees that cyber security is important and by promoting good cyber hygiene, you can fundamentally alter the discussions in your organization.

Elevate your business by developing a culture that simply adds a single word into their vocabulary.


It really is that simple. Look at the difference in these two conversations starters.

“How can we do this?”

Let’s use this newly expanded vocabulary.

“How can we do this securely?”

Now the conversation has been fundamentally altered, but the focus is still on the need.


These changes may not stop Shadow IT, but it will go a long way to reducing it. Shadow IT poses one of the greatest risks to businesses by potentially bypassing all the cyber security controls your organization has painstakingly built to keep your assets safe and secure.

Let us help you address the Shadow IT risk to your business. Call us now!

Ready to protect your business?

Sign up for our newsletter!