The Risks of Shadow IT
When we conduct IT department assessments, an important area of investigation is “shadow IT.” Shadow IT refers to the situation where user departments reach out directly to suppliers to sign up for software applications that meet their business needs (bypassing their organization’s IT department to do so). This process can put the company at risk. These risks include security, violation of provincial or federal privacy laws and more.
Why Shadow IT?

It’s very common and the process is simple: user departments bypass IT and deal directly with an application supplier. It’s not a new phenomenon but it matters more now because the inherent risks are much bigger than the shadow IT risks of years ago.
There are many reasons why users bypass IT. Often, the supplier has an application that meets user needs much better than existing, supported applications. Sometimes it’s because users think that “IT has no time” to help find, assess, install, and support a new application. And sadly, some employees feel entitled to use social media and download “fun” software and movies during working hours.
The Risks
Privacy: We operate in accordance with privacy protection laws. Each of provincial and federal, public sector and private sector have laws that govern how data can be collected, processed, stored and disclosed and there are penalties that can be imposed for violations. Shadow IT often results in the use of software that doesn’t comply with privacy laws with no one the wiser until something happens to expose the problem, sometimes dramatically.
Data Loss: Some applications operate on departmental PCs and may not be properly backed-up. When data is lost, there’s nowhere to turn.
Security: Security patches may not be applied. Unauthorized employees may gain access to important data and may even be able to modify it. Shadow IT in the cloud could have inappropriate permissions and security setting established. Hacker access (such as the use of DNS tunneling) can operate unhindered to copy or remove data offsite. Ransomware access is also enabled.
Taking Back Control
Sometimes the IT department is aware of shadow IT activities within their organization, but more often they only know part of the picture. As we discover with our clients, the list of applications provided to us at the start of an engagement is much smaller than the final list of applications that we compile. There are two major ways to reduce shadow IT:
Communications: Create and implement a communications plan to improve relationships with user departments. Encourage them to use you as an advisor and let you take responsibility for all applications.
Monitoring tools: Monitor the software being used by employees. Monitor the websites visited by your employees and how much time is spent on each. Monitor or block the use of USB devices.
This article was published in the
April 2020
edition of The TMC Advisor
- ISSN 2369-663X Volume:7 Issue:3
©2020 TMC Consulting