If you’re in any way responsible for the IT requirements of a business, you’ll likely have heard of shadow IT. It’s a nickname for a phenomenon that can challenge companies of any size and is a cousin of app sprawl(new window). Except, where app sprawl sees companies using too many apps, shadow IT sees workers taking app management into their own hands.
This article will help you understand what shadow IT is, how to recognize it, and what you can do to limit any threats it could pose to your business.
What is shadow IT?
Shadow IT refers to apps employees install and services they sign up for on their work devices, and the non-work devices they log in from without permission from their IT team. It’s basically anything that a worker might use to work or handle business data that your IT team hasn’t installed or configured for work purposes.
In recent years, shadow IT has become more pervasive. It reached new levels during the pandemic, when we were forced home and personal and business boundaries were blurred. Workers became used to managing their own days from home, and they found new ways of working that made sense for them.
Software as a service (SaaS) products are also plentiful, incredibly easy to download and use, and might be able to support workers in business areas they’re frustrated with. The problem with this is that it creates vulnerabilities and a lack of oversight. Shadow IT is a phenomenon that IT teams have been dealing with for a long time, and it’s unlikely to go away. It appears in businesses of every size in every industry.
Workers turn to shadow IT when they’re frustrated with the tools they’re using and look for other solutions. If the software they’re using is inefficient or doesn’t support their needs, many employees will try to solve the issue themselves. It might not seem like it, but this can be a good thing: It’s a sign your employees want to do a good job and are trying to adapt their work tools accordingly.
However, every time a new app or service is introduced into your work environment, it can complicate work processes and create new cybersecurity risks(new window). Together, IT teams and security teams are responsible for access and identity management and your business’s overall cybersecurity, but unsanctioned apps and services take this control out of their hands.
Shadow IT examples
Shadow IT appears in every department and can take many different forms. Let’s consider some of the most common examples of shadow IT.
Messaging tools and email
Instant messaging is perfect for making quick decisions and sharing information, allowing workers to communicate easily with each other outside the formality of email. No matter what size your business is, you use some form of instant messaging.
However, if you don’t use instant messaging or the service you’re using isn’t user-friendly, workers might use external services. Apps like WhatsApp are popular because they’re simple and can be used for free — but they’re not suitable for work(new window). Archiving and saving records aren’t always supported, and they may not be suitable to trust with sensitive information for legal purposes.
Another popular example is workers sending emails interchangeably from their work and personal accounts. If you see a link being shared from someone’s personal email address or receive a work message on a platform you don’t use for work purposes, that’s shadow IT popping up. The risk created by sharing business information outside managed apps can be huge. Even just logging into your personal email address on your work device could lead to a data breach(new window).
Password managers
In both their professional and their personal lives, more and more people(new window) use password managers. They’re an effective tool for protecting private data and allowing your workers to easily log in to the tools they use every day.
A password manager is a point of entry for a lot of sensitive information, which can include financial and personal data. That makes it critical for your IT and security teams to have total oversight over it. Whether it’s a shared password vault full of company accounts or a personal account, your password manager is full of tempting information for hackers.
If workers store login information for work accounts in password managers that haven’t been vetted by and aren’t managed by their IT team, this creates vulnerabilities. Not only are a worker’s personal logins and passwords potentially accessible to hackers, but their work logins and passwords will be too. Many password managers have been affected by hacks in recent years, which makes finding a single effective solution for every worker essential.
Drive
All workers are responsible for sharing and storing many forms of data using cloud storage. This could be legal data, financial data, or personal data. A business runs smoothly when all workers can access the information they need and share it safely — but shadow IT can make this a challenge.
Shadow IT might creep in if workers store documents or forward them to external clients using their personal drives. Dropbox is a popular drive solution for personal and professional purposes. If your workers use their personal drives for work purposes, then data silos are built, preventing information from flowing freely and safely through your business.
Not only does your data become insecure if it’s stored in multiple personal drives, it also becomes unregulated. Your security team can’t protect data they’re not managing or aware of.
Understanding shadow IT risks
As we’ve outlined above, shadow IT creates vulnerabilities, including data breaches and data silos. Every day, workers make decisions about the tools they use that your IT and security teams need to know about.
When a worker ticks a checkbox or signs an agreement for a new app or SaaS product, they probably haven’t checked the terms of use or who can access the data. They won’t know if they’re in breach of the company’s IT policy or what kind of data risk they might have inadvertently created.
An app or service that the finance team isn’t aware of can’t be counted as a business cost. When employees operate outside the view of the finance team, IT spending and resourcing are no longer accurate, and your auditing will be affected.
Think of the apps and services your business uses as an ecosystem. An ecosystem has to be balanced, and it can be threatened by sudden changes and invaders. It’s also everybody’s job to maintain it, even if they’re not an expert. Without everyone’s buy-in, your business’s ecosystem will be at risk of collapse, which in this context could be a hack or breach.
So, protecting your business ecosystem presents a unique cybersecurity challenge. How do you approach and tackle a problem when you don’t know its extent?
How to limit the impact of shadow IT
Firstly, accept that shadow IT will never go away. No IT team will ever have full oversight of every app operating in their system again, and that’s okay. You can mitigate shadow IT’s risk with a dual-pronged approach of education and providing excellent tools for employees to stay safe with.
It’s crucial you educate your employees about your best practices, your IT policies, and overall cybersecurity. The conversation about workplace tools should also go two ways. You should educate your employees about the risks introduced by shadow IT and let them know you’re always open to feedback for better ways of working. Let them tell you about their needs, and help them configure their tools to be as effective and safe as possible.
Cybersecurity is everyone’s job, but you don’t have to be a tech expert to have good practices. Cybersecurity also doesn’t have to make your life harder — it can make your work easier if you have the right approach and the right tools. The tools you need to secure for safety purposes are password managers, document management tools, secure online storage, calendars, and email.
Once you’re having conversations about what workers need, you can begin building a better working environment for them. Having an environment that offers built-in security, simple and safe sharing, and plenty of tools for workers to easily navigate their day-to-day work lives is key.
Reducing shadow IT in your company
Many companies offer basic data management, communication, and scheduling tools, but not all business tools put the same emphasis on security. That’s why choosing the right provider is key.
Life is easier when the tools you use have security built in — Proton was founded by scientists who met at CERN as a privacy-first alternative to big tech’s data harvesting apps. End-to-end encryption is built into our services to minimize your data being collected. Your business’s information isn’t accessible to Proton, so in the unlikely event that Proton was affected by a data breach, your information wouldn’t be affected. All our apps are open source for anyone to check and are independently audited by third-party cybersecurity experts(new window).
The Proton environment includes a password manager, drive, calendar, VPN, and email. A Proton account gives workers the tools they need to use the internet safely, communicate securely, and maintain their privacy online. It also protects your business information from data breaches, helps you share logins and passwords safely, and lets you work collaboratively from the same source of truth.
With a Proton account, you can get access to:
- Proton Pass: An end-to-end encrypted password manager with effortless protection built in. It includes secure password generation, hide-my-email aliases, passkey support, a built-in 2FA authenticator, and built-in encrypted notes.
- Proton Drive: An encrypted drive storage with Docs included. Features a customizable vault, password protection for file-sharing links, and real-time collaboration.
- Proton Mail: The world’s largest secure, encrypted email. Includes single-click email provider switching, protection from spam and phishing, no ads or data harvesting, and enhanced tracking protection
- Proton Calendar: An encrypted calendar app that connects to your Proton Mail account. It includes privacy-first easy scheduling and end-to-end encrypted invitations.
- Proton VPN(new window): A secure, fast VPN service. It includes multi-platform support, ad blocking, up to 10 devices per user, and high-speed connections.
More than 50,000 businesses use Proton to stay safe online and mitigate the vulnerabilities caused by shadow IT. Offer your workers the best and easiest-to-use solutions for their work days.
