Shadow IT: What IT doesn't know

When it comes to cyber security, IT departments are often involved as it's their expertise with IT. They know what programs we have on our devices and what websites we access in the course of our work - or do they?

What IT doesn't know

Shadow IT is the concept of the IT department not knowing about an employee's use of software, hardware and websites - and without the IT department's approval of their use.

This could be anything from sharing files between cloud storages, online meetings on platforms your company doesn't use, or creating a Slack group without IT's approval. All of this may seem harmless, but it falls under the umbrella of shadow IT, because IT hasn't been made aware of the use.

While it may sound like a place where hackers hang out, shadow IT is not associated with hacking and malware - it is simply the undisclosed use of software, hardware and browsers.

The reason why shadow IT starts in a company is often because employees don't want to wait for programs, software and browsers to be approved by the IT department - or that the program they have found works better than the one provided by the IT department.

However, it's important to remember that shadow IT can pose fatal risks to a business. When an IT department doesn't have insight into what software, hardware and browsers are being used, they can't ensure that everything is up-to-date and secure - this is fertile ground for cyber attacks on businesses.

Some of the causes of shadow IT

Some of the reasons why employees use shadow IT is because they prefer to use their own devices and software for work - instead of what is provided by the workplace.

This is happening more frequently with hybrid and remote working - and the use of SaaS and cloud storage. It's easier to share files and documents between devices, and this applies between work devices, but also between work and home. So if an employee shares files in, for example, Google Drive between their work and home computer to make working from home more convenient, that's shadow IT - and a very deliberate form of it at that.

Hybrid working has led to concepts such as "bring your own device" (BYOD), which encourages employees to use their own devices for professional and work purposes. With such concepts, companies are responding to what many employees are asking for - to use their preferred devices for work. However, there is a major downside to BYOD.

The essence of the IT department's job is to ensure the smooth flow of technology in the workplace, but also, to a large extent, cybersecurity in the workplace. But there are limits to how much they can do for cybersecurity if employees are using shadow IT. And if employees are using personal devices for work purposes, IT can't secure those devices in the same way as if employees are using the designated work devices and computers.

Why does it need to be approved?

You might be thinking that it's limiting and restrictive that IT has to approve the software, hardware and browsers we use in the workplace. According to several studies, around 80% of employees in a company use shadow IT - that's 80% of a company's cybersecurity that isn't as strong as it could be.

At the core of cybersecurity, employees are the strongest defense against cyberattacks. This is because it's people who make the majority of cybersecurity mistakes, which cybercriminals exploit.

So if a company has a number of employees who use shadow IT and don't involve the IT department in what programs and software they use - as well as what files they share and download - then the IT department has little chance of helping in the event of a cyber attack.

IT needs to approve and verify programs and software so that there is no risk of malware or other malicious activity on the devices - by having control of the technology in a company, you can focus on awareness training of employees so that the entire company is strong against the cyber threat.

Pros and cons of shadow IT

In the past, shadow IT was often completely banned in companies because IT departments were unable to control and help employees with IT issues in these cases. However, over time, it's become clear that it's nearly impossible to ensure employees don't use shadow IT, even if it's banned in the workplace.

As a result, more companies are embracing the principle. This way, they can influence how employees use shadow IT in the workplace instead of having no influence at all on employees' IT habits.

There are both pros and cons to the use of shadow IT - both of which have been highlighted above. Additional pros and cons of shadow IT are:

Advantages of shadow IT

• A company shows trust in its employees by letting them use their own devices and applications.
• You can find out which applications are outdated and which ones streamline and optimize work for employees when they find them themselves.

Many companies try to connect IT protocols with shadow IT to avoid banning the phenomenon altogether. Some of the things companies are adopting as a result of this are attack surface management, which includes plans and overview of the new attack surface for the company.

**Disadvantages of shadow IT

• Less visibility into attack surfaces for the business.
• Problems with compliance in a company - A company may have problems with GDPR compliance with shadow IT, as there cannot be as good control over the processing of personal data with shadow IT as when employees work solely with what the IT department has made available.

Shadow IT is a divisive phenomenon in the workplace - employees want more flexibility and IT departments want secure IT. The problem with shadow IT is that it often leaves IT departments unaware of employees' online activity and their use of software and hardware. If an employee accidentally downloads malicious software, it could end up compromising the entire company's data.