What is shadow IT and why is it a risk?
Shadow IT, software used by employees without IT approval, is bigger and more dangerous than most organizations realize. What it is, how it arises, and how to address it.
- October 1, 2024
- 5 min
Shadow IT is one of the biggest blind spots in enterprise software management. The term refers to all technology, software, apps, cloud storage, communication tools, used by employees without explicit approval from IT or procurement. And it is growing faster than most organisations realize.
How does shadow IT arise?
Shadow IT almost always arises from a genuine problem. An employee needs a tool to do their job, the approval process takes too long, or the alternative offered by IT is inconvenient. The quickest way is to create a free account or charge a small subscription to the business credit card.
What starts as one person with one tool quickly grows. Colleagues join in, files are shared via non-approved platforms and company-sensitive data ends up on servers outside the EU without anyone noticing.
Why is shadow IT a problem?
Shadow IT has three concrete consequences:
1. Security risks. Non-approved tools are not screened for security, not updated and not monitored. They present an open door for data breaches and cyber attacks.
2. Compliance risks. Data processed via non-approved tools falls outside the organisation’s GDPR control. Nevertheless, the organisation is liable in case of a data breach.
3. Waste. Organisations pay for centralised tools while employees use free or cheap alternatives in parallel. Consolidation is impossible without oversight.
Shadow IT and NIS2
With the arrival of NIS2, shadow IT becomes an even greater risk. The duty of care obliges organisations to maintain an up-to-date overview of all software and vendors, including tools acquired outside the formal procurement process. Shadow IT makes this overview inherently incomplete.
How do you tackle shadow IT?
The approach does not start with forbidding, but with understanding. Why do employees use certain tools? What is missing in the approved offer? Only when you answer these questions can you effectively consolidate and improve the formal software portfolio.
Practical steps: analyse credit card statements and invoices for unknown software subscriptions, conduct an employee survey on used tools, and feed the findings back to IT and procurement for a consolidated approach.
Frequently Asked Questions
The most common questions about this topic.
What exactly is shadow IT?
Shadow IT includes all software and technology that employees use without approval or knowledge of IT or procurement. Think of free tools, personal cloud storage, or non-approved communication platforms.
How big is the shadow IT problem in the average organisation?
Research shows that on average 40-60% of SaaS tools in an organisation are not centrally managed. The true extent of shadow IT is consistently underestimated.
How do I discover what shadow IT exists in my organisation?
Start with a software audit through credit card statements, invoice analysis and an employee survey. Additionally, tools like Zylo, Torii or Blissfully can help automatically detect SaaS usage.
Ready to save on software?
SoftVaro negotiates the best deal on your behalf with over 4,000 suppliers. Independent, transparent, within 24 hours.