We’ve all been there: the company’s system is once again moving at a glacial pace and a project needs to be completed urgently. Unfortunately, deadlines don’t wait for IT tickets, so you download a quick app that a colleague has recommended or send the file from your personal account just to keep things moving, says Terry Storrar, pictured, managing director of the cloud services firm Leaseweb UK.
This is what is commonly referred to as shadow IT. Essentially, it is any technology, software, app or service that is used by employees without the knowledge or prior vetting of a company’s IT department.
While it is not a new problem, the reliance on shadow IT has been accelerating within many organisations. Today, the use of shadow IT goes far beyond employees using personal devices for work purposes. The widespread availability of cloud applications, AI tools and an increase in remote work have propelled the use of shadow IT to record, highly concerning levels. A recent security report from UpGuard has revealed that a staggering eight out of ten employees globally regularly use unauthorised AI tools at work.
Dangers
For most organisations, shadow IT poses a significant problem as their security depends on always knowing and controlling all the tools interacting and accessing their internal networks and data.
The biggest issue with shadow IT lies in the expanded attack surface it creates. Every application, subscription or personal device used without prior vetting by IT, increases the likelihood of data exposure, regulatory breaches and operational disruption. If the IT department does not have visibility into every device accessing company networks, they lose the ability to assess risk, enforce compliance and respond to incidents quickly and efficiently.
As a result, it should come as no surprise that many organisations are trying to tighten their controls to get a grip on unsanctioned technology use. Many businesses are even trying to eliminate the use of shadow IT altogether. However, this is easier said than done. Despite increased efforts to get shadow IT use under control, employees continue to use unauthorised tools. In fact, recent research has found that 67 per cent of employees in Fortune 1000 companies are using unapproved SaaS applications and 71pc of employees in the UK have admitted to using unofficial consumer AI apps for work purposes.
The trend to use shadow IT is largely driven by a shift in how businesses operate. Particularly remote and hybrid work, combined with the rise in popularity of easily accessible SaaS platforms, means employees have more options and possibilities at their fingertips than ever before. Additionally, the entry barrier is dangerously low. Often it only takes a corporate email address and a credit card and before you notice you’ve unintentionally introduced shadow IT into the company environment.
Convenience is what makes these tools so dangerous. They operate outside of standard ways of procurement and therefore make security review, monitoring and control incredibly hard, creating blind spots in risk management.
Taking back control
For security teams, the main challenge to addressing shadow IT use remains detection and response. How can we detect and regain visibility over devices, applications and services that are already embedded across company environments?
The first step lies in recognising that employees rarely act maliciously and that most shadow IT is introduced as a result of productivity pressures rather than a wish to harm the company. Often, employees are simply looking for ways to work faster and more collaboratively. This is where a general “block and restrict” approach from IT departments may be counterproductive. Not only does it hardly ever fix the root cause of the problem, but ultimately it only leads to more circumvention by employees.
Instead, security teams should position themselves as enablers of secure innovation. That means, rather than shutting down every new tool, IT teams should provide vetted, secure alternatives that meet the same functional needs as the tools employees are already using. When IT departments become a facilitator rather than a roadblock, adoption of approved solutions increases naturally, and the need to use shadow IT becomes obsolete.
At the same time, employees must understand that there is a reason IT teams are on their tail and that visibility is key. It is crucial that IT departments know exactly which applications are in use, what data is exchanged between them and where and how sensitive data is stored and processed. Employees will need to view early engagement with IT and security teams as a safeguard rather than an obstacle. After all, early vetting of tools not only ensures compliance with regulatory requirements, contractual obligations and internal policies, but ultimately reduces the risk of larger security incidents further down the line.
The bottom line
There won’t be a universal solution that eliminates shadow IT use across all organisations. The right approach often depends on a business’s individual risk tolerance, regulatory environments, industry pressures and digital maturity levels. Therefore, any effective strategy must be tailored to an organisation’s individual needs, integrating visibility, governance and enablement.
When trust, oversight and flexibility are combined in one cohesive security model, organisations can significantly reduce reliance on shadow IT and unmanaged technology risk. When employees no longer feel the need to use unauthorised technology, then security teams will regain confidence that the company’s data is kept safe and not floating through unmonitored platforms and personal devices.
Ultimately, managing shadow IT shouldn’t be a roadblock for innovation. Security should be embedded into technology adoption from the outset, ensuring that productivity gains do not come at the expense of resilience, compliance and long-term risk management.
