The Impact of Shadow IT

The Impact of Shadow IT

3d people – man person with a laptop

Digital Security is the overarching practice of protecting your information—financial, intellectual or physical—from the digital world.

In most organisations it is hard enough just making sure that you are not going to be compromised through your own networks, communication systems and storage systems.

Having to worry about information that is outside your control, and that you know little or nothing about, makes it even harder.

Yet today, most organisations have to do just that.

One of the newest problems for organisations is so-called shadow IT—the use of hardware, software or cloud-based systems that are not approved by the organisation or its management.

It’s easy to see why shadow IT is so prevalent.

Employees like being able to use their own devices (laptops, tablets and phones) and to get work done away from the office—for instance, by storing work documents on their personal cloud storage service, or opening a database while using the free Wi-Fi at Starbucks.

Employees don’t like being told that they can’t do these things. In the arguments about shadow IT, we hear:

  • “The organisation is not allowing me to work where I need to work with the systems I need.”
  • “Using these devices increases my efficiency and productivity.”

In most organisations, when security goes up against convenience and cost, convenience and cost prevail.

This is especially true when it comes to IT.  But shadow IT can cost an organisation much more than it saves.

What is the problem with shadow IT?

Digital security is not put in place to annoy users, although there are times when it may appear that way.

Shadow IT makes employees’ lives easier in the short run, but there are a number of ways that it puts stress on the organisation’s resources and business requirements.

Shadow IT is unsanctioned

There is often a good reason that an organisation is not using a particular cloud-based system, app or piece of technology.

That cloud system may be free and easy to use, but also easy to hack, with insecure passwords.  In most cases a shadow IT component is beneficial only for that individual user.

Shadow IT can compromise security

Keeping information secure within an organisation is hard enough in today’s business world.

The additional problem of having critical business information outside the control of the organisation can have detrimental and devastating effects.

Shadow IT can increases organisation risk

The fact that the information stored in unknown systems is now outside the control of the organisation increases the overall risk that it could be stolen, damaged or highjacked.

This, in turn, increases business risk.

Shadow IT is unmanaged and unmanageable

In most cases, rouge systems are only discovered after something has happened to the information that is controlled by those systems.

Try explaining to your shareholders that not only has a chunk of information gone missing or been stolen, but you didn’t even know it was at risk.

Shadow IT can damage compliance requirements

In any organisation of reasonable size, compliance with government regulation is a huge responsibility.

The loss of information stored outside the compliance systems can damage your organisation and have a long-lasting impact on revenue and reputation.

Shadow IT can reduces business visibility

In business, it’s crucial to make decisions based on facts.

That means management must be able to see what’s actually going on within the company (for instance, what level of risk currently exists).

Shadow IT can change those measurements and make decisions harder to manage.

Shadow IT can allow for information to be stolen

This is the bottom line.  There is nothing worse for a business than having key information like IP or customer payment data stolen.

How do you control shadow IT?

Controlling shadow IT comes down to four factors.


Is the organisation agile enough to use new and improved technology, or are they restricted by slow decision-making processes?

Being able to make changes in real time will allow better technology to be deployed by the business, restricting the need for individuals to use technology without the business’s knowledge.

For instance, if employees need tablets to do their work efficiently, the business should provide them with tablets rather than waiting for them to start bringing their own.


Is the organisation adaptable enough to implement change, not only in technology, but also in how it is used?

There are two areas of adaptability: the ability to change to newer, better and improved technology and systems, and the ability to recover from implementing bad technology.

There are a few documented examples of using the wrong technology.

The Amiga computer and beta VCR for instance.


Does the organisation have the budget to provide legitimate alternatives to shadow IT?

The single cost for using a cloud-based system could be free or relatively inexpensive, but when all users of an organisation are going to use a system and everyone needs a license, this could cause financial problems.

Organisations must be far-sighted enough to invest in their own security.


Do employees know why they should avoid shadow IT?

Often they don’t understand the risks, or they believe that cybercrime couldn’t possibly happen to their company.

Organisations must make the investment in education so that their employees know why their company has the restrictions that it does, and why they shouldn’t trust business information to that unsecured network or chat interface.

If companies provide employees with the IT they need, and the information to use it correctly, they won’t have to fear a shadow IT disaster.

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.