What is shadow IT and why is it a risk?
Shadow IT, software used by employees without IT approval, is bigger and more dangerous than most organisations realise. What it is, how it arises, and how to address it.
- 1 October 2024
- 5 min
Shadow IT is one of the biggest blind spots in enterprise software management. The term refers to all technology, software, apps, cloud storage, communication tools used by employees without explicit approval from IT or procurement. And it is growing faster than most organisations realise.
How does shadow IT arise?
Shadow IT almost always arises from a genuine problem. An employee needs a tool to do their work, the approval procedure takes too long, or the IT-provided alternative is inconvenient. The quickest way is to create a free account or put a small subscription on the company credit card.
What starts as one person with one tool quickly grows. Colleagues join in, files are shared via unapproved platforms, and sensitive company data ends up on servers outside the EU without anyone noticing.
Why is shadow IT a problem?
Shadow IT has three concrete consequences:
1. Security risks. Unapproved tools are not screened for security, not updated, and not monitored. They constitute an open door for data breaches and cyberattacks.
2. Compliance risks. Data processed via unapproved tools falls outside the organisation’s GDPR control. Despite this, the organisation remains liable in the event of a data breach.
3. Waste. Organisations pay for centralised tools while employees simultaneously use free or cheap alternatives. Consolidation is impossible without oversight.
Shadow IT and NIS2
With the arrival of NIS2, shadow IT becomes an even greater risk. The duty of care requires organisations to maintain an up-to-date overview of all software and suppliers, including tools purchased outside the formal procurement process. Shadow IT makes this overview inherently incomplete.
How do you tackle shadow IT?
The approach doesn’t start with prohibiting, but with understanding. Why do employees use certain tools? What is missing from the approved offerings? Only once you answer those questions can you effectively consolidate and improve the formal software offering.
Practical steps: analyse credit card statements and invoices for unknown software subscriptions, conduct an employee survey about used tools, and feed findings back to IT and procurement for a consolidated approach.
Frequently Asked Questions
The most commonly asked questions on this topic.
What exactly is shadow IT?
Shadow IT is all software and technology used by employees without approval or knowledge of IT or procurement. Think of free tools, personal cloud storage, or unapproved communication platforms.
How big is the shadow IT problem in the average organisation?
Research shows that on average 40-60% of SaaS tools in an organisation are not centrally managed. The actual extent of shadow IT is systematically underestimated.
How do I discover what shadow IT exists in my organisation?
Start with a software audit via credit card statements, invoice analysis, and an employee survey. Additionally, tools like Zylo, Torii or Blissfully can help automatically detect SaaS usage.
Ready to save on software?
SoftVaro negotiates the best deal on your behalf with over 4,000 suppliers. Independent, transparent, within 24 hours.