5 Common Risks of Shadow IT and How to Gain Control of It
Originally published on July 16, 2018 by Sascha Neumeier
Last updated on August 31, 2021 • 5 minute read
Surely every administrator has heard of shadow IT, and probably many of you admins live in (peaceful) coexistence with these parallel, partly unknown IT infrastructures.
Let's start from scratch and look at how shadow IT is defined.
iShadow IT refers to the hardware and/or software within a company that is not supported by the central IT department of the organization. The term is often negative because it implies that the IT department has not approved the technology and, in many cases, does not know that employees are using it at all.
In the field of shadow IT, complex infrastructures arise in everyday practice, which are developed and built completely without the IT department - or even around them. This ranges from manageable hardware environments to complete ERP solutions that are in daily use throughout the company, that use the data of the official ERP system, but that are in no way accessible to the IT department.
Such independent infrastructures are often a management problem. If specialist departments are not offered adequate solutions for their specific requirements, and department heads have too much freedom in their decisions, situations quickly arise in which departmental solutions are created from the ground up. This creates a multitude of risks (we will take a closer look at 5 of the more common ones below). Finally, we suggest solutions how to get the shadow IT under control (again), and give tips for how you can notice early-on when infrastructures are built without your IT department.
1. Cyber Security
Hardware that is set up within a business department may not be protected by the security of the IT environment. There might be no firewall and virus scanner, and regular firmware and software updates are not installed. This makes the shadow infrastructure, sensitive company data, and usually the entire company network vulnerable.
2. Data Loss
Systems and applications running within shadow IT are not part of the backup and restore strategy of IT management. It could be that there is no backup solution at all, or there is only one person without a substitute to monitor the backup. If critical company data is lost in the event of an incident, this means substantial damage with unpredictable consequences for the company.
3. Data Security
Besides the fact that IT has no control over the backup of software and data within the shadow IT, there is also no overview of possible data access. In the worst case, external service providers or former employees still have access to data. There is generally no change tracking and no overview of which accounts have data access, and what they can do with the data.
Changes to hardware and software within the shadow IT might not undergo any testing. Directly implemented systems and solutions may accelerate individual processes (a common reason to introduce shadow IT), but conversely, a series of other business processes may stall. In the worst-case scenario, this could mean that business-critical IT resources are no longer available. Furthermore, shadow IT means a double administration and maintenance effort of systems and software - if any maintenance within the shadow IT environment takes place at all.
Using shadow IT, processes are often established in the specialist departments that violate existing compliance rules of the company. Moreover, the introduction and use of shadow IT is already a violation of the usual company compliance rules. For many companies, such a fundamental breach of compliance rules can threaten their existence.
How to Get Rid of Shadow IT
First of all: Don't panic! Even companies with a pronounced shadow IT can get the situation under control again. This is certainly not a task that can be done overnight, and in most cases it is accompanied by a paradigm shift in IT or even in the entire company.
What you must do to get back control of all IT infrastructures in your company and to make shadow IT a thing of the past can be read in our tip sheet on shadow IT. There you will learn 7 Steps How to Gain Control of Shadow IT.