Shadow IT: What is it - and why is it dangerous?

If employees work with devices and programmes that are not authorised or maintained by the company IT, the use of such shadow IT can have consequences that threaten the existence of the employer. 

October is "European Cybersecurity Month" (#CyberSecMonth for short) throughout the EU and is also accompanied by educational and training offers at ERGO. Reason enough for //next, after the interview with cyber expert Maximilian Lipa and a warning about the most used (and too simple!) passwords in 2021, to now deal with the phenomenon of "shadow IT" and its dark sides (i.e.: risks!). 

Recently, a major bank in the US was fined $200 million by two regulators for allowing employees to process and transmit sensitive company and customer data via private devices and (messenger) apps. A highly reckless practice that was widespread even in the compliance department. In addition to the fact that sensitive company data cannot be adequately protected on private devices, such bad manners also fall short of legal retention periods.

What are the motives to use shadow IT?

The case from the USA illustrates once again how ubiquitous and widespread our personal gadgets and usage habits already are - and how much the line between work and leisure is becoming increasingly blurred. 

Often employees resort to unauthorised hardware and software because they do more than the authorised options - or are simply more convenient. Whether it is due to stress and overwork, shyness about cumbersome procurement processes or budget constraints: for many employees it is tempting to simply resort to those devices and programmes that they use all the time in their private lives anyway, without thinking much about it. But this is highly dangerous for their company, and in several dimensions:


#Legality: The careless users of shadow IT may not even have the right to use the software or, in some cases, the hardware used! There are many applications that require a licence to use - and there is also always the additional risk that the user:s have bought a device that does not meet the legal requirements. Black market tools and gadgets are available all over the world and may not be authentic products.

#Storage location: Please always consider where the data will go once you press <Submit>. Will it be stored in a country that might have an interest in this data? There are countries that actively seek to collect data and routinely review the data they have access to, to see if there is any among them that may serve their interests. Sensitive corporate data could fit well with these countries' goals!

#Access: Just as you may not know where your data is stored, you may not have an overview of who all might have access to your data. Would the person accessing it have an interest in that data? Could this information be of value to another company, so that the person accessing it could sell it to a third party?


#Malware: Because the software or hardware has not been properly assessed from an information security perspective, it is impossible to know if it has vulnerabilities that allow malicious code to be introduced. If there is a connection between the corporate network and the device, there is a possibility of malware getting into your corporate network!

#Updates: Patches to fix vulnerabilities in software or updates to software and hardware will not be applied to unsupported shadow IT. This means that vulnerabilities are not mitigated and therefore there is a possibility that the vulnerabilities will be exploited.


#Support: It is obvious that unapproved software or hardware cannot be supported, maintained or monitored by corporate IT. If something happens to the application and help is needed, it is not available. Just as a lack of patches can lead to the introduction of malware, a lack of support can also be a reason why security holes cannot be closed in time. 


#Interoperability: Before new tools and applications are added to the corporate network, they are checked to see how they work with other applications already on the network. If this is not done because shadow IT is used, it can cause serious disruptions to the network - up to and including the failure of critical elements of the infrastructure. 

Conclusion: Shadow IT is a serious threat

If you use unauthorised software or hardware, you bring serious risks to your organisation. So if you want to use additional tools or devices, please apply for them officially. Your IT team may not be able to accommodate your request for a particular product - but they will try to provide an alternative that meets your needs. Together you should ensure that there is no shadow IT in your organisation.

Text: Jason Geiger

Most popular