What is shadow IT and why is it a risk?
Shadow IT, software used by employees without IT approval, is bigger and more dangerous than most organizations realize. What it is, how it arises, and how to address it.
- October 1, 2024
- 5 min
Shadow IT is one of the biggest blind spots in enterprise software management. The term refers to all technology, software, apps, cloud storage, communication tools that employees use without explicit IT or procurement approval. And it is bigger than most organizations realize.
How does shadow IT arise?
Shadow IT almost always starts from a genuine problem. An employee needs a tool to do their work, the approval process takes too long, or the alternative offered by IT is inconvenient. The quickest way is to create a free account or put a small subscription on the corporate credit card.
What starts as one person with one tool quickly grows. Colleagues join in, files are shared via unapproved platforms, and sensitive company data ends up on servers outside the EU, without anyone noticing.
Why is shadow IT a problem?
Shadow IT has three concrete consequences:
1. Security risks. Unapproved tools are not screened for security, not updated, and not monitored. They present an open door to data leaks and cyberattacks.
2. Compliance risks. Data processed via unapproved tools falls outside the GDPR control of the organization. In case of a data breach, the organization is still liable.
3. Waste. Organizations pay for centralized tools while employees use free or cheap alternatives in parallel. Consolidation is impossible without oversight.
Shadow IT and NIS2
With the introduction of NIS2, shadow IT becomes an even greater risk. The duty of care obliges organizations to maintain an up-to-date overview of all software and suppliers, including tools acquired outside the formal procurement process. Shadow IT makes this overview inherently incomplete.
How do you tackle shadow IT?
The approach doesn’t start with banning, but with understanding. Why do employees use certain tools? What is missing in the approved offering? Only after answering these questions can you effectively consolidate and improve the formal software offering.
Practical steps: analyse credit card statements and invoices for unknown software subscriptions, conduct an employee survey about the tools used, and report findings back to IT and procurement for a consolidated approach.
Frequently Asked Questions
The most asked questions about this topic.
What exactly is shadow IT?
Shadow IT is all software and technology that employees use without approval or knowledge of IT or procurement. Think of free tools, personal cloud storage, or unapproved communication platforms.
How big is the shadow IT problem in the average organization?
Research shows that on average 40-60% of SaaS tools in an organization are not managed centrally. The actual extent of shadow IT is systematically underestimated.
How do I discover which shadow IT exists in my organization?
Start with a software audit through credit card statements, invoice analysis, and an employee survey. Additionally, tools like Zylo, Torii, or Blissfully can help automatically detect SaaS usage.
Ready to save on software?
SoftVaro negotiates the best deal on your behalf with over 4,000 suppliers. Independent, transparent, within 24 hours.