What is Shadow IT and How to Address It

6 Min read

Within large IT infrastructures with so many interconnected devices it is hard to keep a close watch on all the possible security issues. Taking in consideration the increasing Bring-Your-Own-Device (BYOD) trend adopted by many organisations it is getting even harder to keep a completely safe IT perimeter. Modern workers are used to reach for tools or even build their own ones to make their life at work easier. It happens all the time, often slips under the IT department radar and it carries a rather notorious name – “shadow IT”.

Reduce your AWS costs by over 50%

Discover your Cloud Saving Potential – Answer just 5 simple questions. AppsFlyer, Playtika, Lufthansa, IBM, top leading companies are already using our FinOps services.

Reduce your AWS costs 
by over 50%

Image Source

To be more precise, shadow IT refers to all IT projects and activities that are built and/or used inside an organisation but without organisational approval. Usually, Shadow IT grows out of pure necessity, as increasingly tech-savvy employees come up with their own solutions to specific business related problems.

Not long ago, IT departments had full control over all technology decisions but things have changed as new technologies are created and deployed extremely fast and different business units tend to adopt them even faster. Also, with the BYOD phenomenon in place where employees make their own choices about mobile hardware and software they are using for work, and with all the cloud computing, SaaS and PaaS applications around it’s practically impossible for IT departments to keep tabs on all these newly risen threat highways.

All too often, we hear of in-house IT personnel being completely in the dark about what’s happening with technology in their own organizations.

Cloud Propelled Shadow IT

At the very beginning when the term shadow IT was forged, it mainly comprised unapproved Excel macros and software bundles employees bought at the local supply store. Since then it has grown substantially, with Gartner having predicted shadow IT management would account for 35% of total IT expenditures in 2016.

The rapid growth is pushed by the increasing quality of consumer cloud-based applications such as file sharing apps, social media and collaboration tools, but it’s also driven by businesses deploying enterprise level SaaS apps. Although it may sound counterintuitive at first, it is now clear that Shadow IT can help businesses become competitive and employees more efficient.

Image Source

Tweet this: Shadow IT accounts for more than 35% of total IT expenditures

What happens now is that while IT departments are no longer in charge for the infrastructure they are still responsible for ensuring security and compliance for the data employees upload to corporate cloud services. It means IT often has to say “no” to employees using various cloud apps for their jobs, or even block access to certain cloud apps through the company’s firewall.

But then again for every blocked app it’s easy for any tech literate employee to find a new, potentially riskier service as a replacement.

The Risks of Shadow IT

All it takes today is a credit card and a browser to purchase a low cost licence and have a new application up and running in virtually no time. After that, importing corporate data and integrating other corporate services can easily be achieved without IT even being aware of it. It’s clear at this point that imposing restrictions and preventing access to tools on corporate desktops is a pointless exercise on the long run as the pressure on employees to be productive is far greater than any concern over data security and corporate compliance. According to ComputerWeekly.com there are 4 key risk areas to consider with shadow IT:

  1. Software Asset Management (SAM) Compliance: Even with decent processes for handling acquirement of software licences in place, SAM by itself comes as a great challenge for IT departments. Using apps procured outside these processes makes SAM impossible which ends up exposing the company to substantial risks. When detected, unapproved software can result in a mandatory audit of the whole infrastructure as well of the associated financial plans necessary for compliance. Ultimately, an unlicensed or unapproved software can result in harsh sanctions for the CIO such as huge fines and/or jail time.
  2. Absence of Testing and Change Control: With all new devices and applications that enter the corporate IT infrastructure, the IT department has to check and set “change and release” processes for each piece to avoid security and performance issues. All of it is impossible with shadow IT as these processes get simply bypassed. One of the main drivers of using SaaS is that customers are always up-to-date and using the latest version. However, these upgrades can often result in system issues or even failures. The processes of handling changes, testing and releasing of corporate software is quite demanding by itself, with shadow IT adding another third-party related layer of complexity to it.
  3. Governance and Industry Standards: Companies invest lots of efforts and resources to ensure compliance with government and industry imposed regulations. They adopt ISO/IEC 20000 standards or similar to demonstrate a level of quality to customers. All those efforts get wasted if official documentation doesn’t reflect actual facts.
  4. Configuration Management: Defining relationships between systems and populating a configuration management database (CMDB) may take IT groups months or even years to complete. If then employees go outside official channels and procedures, key services may end up not being supported because of IT not being aware of them.

Image Source

Tweet this: Pressure on employees to be productive is greater than security and compliance concerns

How to Address Shadow IT

If you can’t beat them, join them. With all the risks and downsides of shadow IT, a company’s natural instinct would probably be to try and clamp down on it as it’s probably seen as a threat to their business. But rather than fight it, it has proven to be much more efficient for  IT decision-makers to admit their shortcomings and learn how to address the causes why Shadow IT  shows up in the first place. Instead of seeing Shadow IT as a threat, it can easily be treated as an opportunity to leverage employees to find the applications they like and want to use so then IT departments can enable and implement company-wide those services that have gained traction and are enterprise friendly.

Image Source

Tweet this: SHADOW IT: If you can’t beat them, join them!

According to Ralph Loura, former CIO at HP

We embraced the idea of this shallow exploration of new technologies, new tools, and new processes by our users. To the degree that they discover these applications or services that make their jobs easier, that make them more efficient at selling or better at running a supply chain or better at sourcing talent, then everybody wins.

Promoting low risk shadow IT services that have reached a tipping point in employee usage starts with understanding what cloud services employees use, how they use them and the services associated risk.

As said earlier, IT departments no longer pull all the strings when it comes to servers, devices or applications being used inside an organisation environment. The upside is there are now plenty of ways to change how IT departments actually operate, so they can better meet business needs. Understanding and embracing the origins of shadow IT within a company might reduce or possibly even eliminate shadow IT altogether.


When IT departments analyze the use of cloud services across the organisation’s infrastructure, they often find Shadow IT is much more present (up to 10 times and more) than initially expected. Consider that today there are over 1,083 different cloud services being used by companies. It’s why it is no surprise that often IT departments discover services they have never even heard of before that are being used by employees. Also, the average company uses up to 57 different file sharing and other online services. Using such a large number of different services can obstruct collaboration between employees and departments. It’s why implementing a standardization on enterprise licenses for 2-3 services greatly improves collaboration and also reduces cost.

After auditing the risk of each service and its security implications, IT teams can then make informed choices about which services are most suited to be promoted or enabled to boost internal business processes. Stomping down on shadow IT can result in slower adoption of innovation and employee dissatisfaction which can hurt the organisation on the long run. While on the other hand, addressing it too loosely opens up unnecessary security and legal issues. To sum up, the key to success when dealing with shadow IT is to find the right balance between corporate needs, security standards and employee desires.

If you need help addressing shadow IT feel free to contact our experts at GlobalDots and resolve all your security and performance concerns.

Latest Articles

Cut Big Data Costs by 23%: 7 Key Practices

In this webinar, we reveal a solution that cuts big data costs by 23% and enhances system efficiency - without changing a single line of code. We’ll also explore 7 key practices that will free your engineers to process and analyze data at the pace and scale they need - and ensure they never lose control of the process.

Developer AXE-WEB
15th April, 2024
Project FOCUS: A New Age of FinOps Visibility

It’s easy for managers and team leaders to get caught up in the cultural scrum of FinOps. Hobbling many FinOps projects, however, is a lack of on-the-ground support for the DevOps teams that are having to drive this widespread change – this is how all too many FinOps projects become abandoned on the meeting room […]

Nesh (Steven Puddephatt) Senior Solutions Engineer @ GlobalDots
27th March, 2024
Optimize Your Cloud Spend with a FinOps Maturity Assessment

Achieving FinOps is a tall order: it demands a degree of organizational self-awareness that some companies are constantly battling for. Consider the predicament that many teams find themselves in: while their cloud environments may contain a number of small things that could be optimized, there are no single glaring mistakes that are consuming massive quantities […]

Nesh (Steven Puddephatt) Senior Solutions Engineer @ GlobalDots
27th March, 2024

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

Unlock Your Cloud Potential