Why you should care about Shadow IT

Shadow IT isn’t new, it’s as old as IT itself. It’s what happens when frustrated users bypass official channels and deploy their own technology to help them get things done. In the process, they often store critical business data beyond the reach of IT departments.

The rise of the cloud has fuelled the growth of Shadow IT, making it easy for any user or business unit to tap into cloud services and create data silos that lie outside the IT department’s domain. Here are some of the key issues:

Security and privacy

Data security laws are tightening around the world, often compelling businesses to report data breaches that involve personal customer data. These laws often turn Shadow IT into a regulatory compliance issue, making it critical that data is stored in systems that are known to be secure and that support legal obligations for data protection.

IT departments who ignore this face serious repercussions. By 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources, according to Gartner.


Cloud services might seem inexpensive, but their costs can quickly add up in circumstances where different departments within a company are acting independently of each other and acquiring parallel capabilities. Many cloud providers – particularly those offering cloud storage or back-end systems – completely bypass the IT department when selling their services.

If every department or business unit is purchasing the same service separately, it can work out significantly more expensive than a whole-of-business arrangement where the IT department is likely to have much more bargaining power. There is also the risk of individuals or small groups using consumer-grade tools that, while cost-effective, might lack enterprise-grade security and service-level agreements.

Data silos and information hoarding

One of the key causes of business units within a company resorting to Shadow IT is that their IT departments aren’t delivering the services and products they need to operate. This results in the procurement of tools that, while suitable for some specific needs, don’t integrate or share data with other parts of the business.

The use of Shadow IT can result in data duplication, which in turn can lead to version control issues and other challenges that impact on business efficiency and productivity.

Backups and recovery

A critical element of business continuity planning is ensuring that data is not only backed up but that it can be quickly and easily recovered.

Many Shadow IT systems deal with an immediate need. However, they don’t allow for backup and recovery within a time frame that limits impacts on the business and allows for service-level agreements with customers to be met

Shadow IT systems sometimes end up underpinning important business functions, so it’s critical to ensure that the various business units fully understand the risks of using such measures. BUs must work with the IT department to ensure that critical data is backed up and that the recovery processes integrates with business-continuity and disaster-recovery plans.

What can IT do?

Business units typically only resort to Shadow IT and procure their own solutions when the systems and services offered by the central technology function don’t meet their needs.

In order to weed out Shadow IT, CIOs and IT managers must take a proactive approach and ensure that the business has access to the tools and services it requires. This might mean having a dedicated ‘account management’ function in your department that spends time with business units, getting to know their problems and coming up with solutions that meet their needs as well as the business’ governance and operational obligations.

Most importantly, tackling Shadow IT means listening to users’ requirements and promptly acting on them so that individuals within the business don’t feel pushed into finding their own solutions.

Download E-book: The state of IT security 2018