Shadow IT - what it is and what you can do about it

Shadow IT, the use of software and technology not approved by an organisation’s central IT function, is rife.

This article looks at what it is, the associated risks, and what you, as an in-house lawyer, can do to reduce it. 

Employees often, understandably, use software unauthorised by the central IT function to help them with their everyday work.

However, it can expose organisations to risk of data breaches, reputational damage, non-regulatory compliance, safeguarding problems and issues around e-discovery. In-house legal teams can help limit the risks of shadow IT.

What is shadow IT?

Shadow IT, also sometimes known as grey, stealth or rogue IT, is where an organisation’s employees use software or devices unauthorised by the IT department for their work. It can occur at departmental, team or individual level. 

Software

Commonly used shadow IT solutions include:

  • File-sharing applications such as Dropbox and Google Drive;
  • Collaboration and messaging tools like WhatsApp;
  • Private emails like Google mail; 
  • Personal productivity apps;
  • Mobile apps; and
  • Generative AI solutions like ChatGPT.

Many of these applications reside in the cloud, making them easy to use and difficult for organisations to keep track of.

However, shadow IT can be more complex than this and even take the form of custom-built solutions commissioned by non-IT departments or local business structures.

Usually, software is not centrally approved because:

  • The central IT function cannot or will not support it;
  • It may be incompatible with other systems; or
  • It contravenes the organisation’s IT security, data and other key policies.

Performance and cost are also major concerns for IT professionals.

Devices

Unauthorised devices used for work purposes can also be considered shadow IT. For example, these might be personal mobile devices or laptops used for personal recreation that are then used for work. There is potential increased use of these devices associated with working from home. 

The UK government’s National Cyber Security Centre’s guidance on Shadow IT also provides some other examples including IoT smart devices, and even unauthorised servers.

How common is shadow IT?

Generally, IT departments are well aware that shadow IT is being used in their organisation. Some turn a blind eye or actively tolerate it if they’re satisfied it’s not causing a significant risk, although will never cover it as a supported application.

For a long time, surveys have shown that shadow IT is very common. As far back as 2013, a study by research firm Frost & Sullivan suggested that 80% of IT and line-of-business employees were using non-approved cloud applications. Meanwhile a 2015 survey by Cisco found that the average organisation has between 15 and 22 more unauthorised cloud applications running than authorised ones.

Since then, the use of cloud applications has continued to grow, with the potential for further use of shadow IT. Some surveys suggest that the increase in remote work from the pandemic has also resulted in a nearly 60% rise in the use of shadow IT.  The public version of ChatGPT is also being commonly used for work purposes, despite significant levels of risk.

Why does shadow IT happen?

Shadow IT usually arises when effective software and tools unavailable internally are readily accessible online or where employees have favourite apps for productivity or messaging.

Document sharing and gaining access to files and information from a mobile device is one of the the most common functions that employees turn to shadow IT for, especially when using a Bring Your Own Device or mixed private and personal use device such as a remote network access via a home pc and home printer.

It’s understandable and seldom malicious. Employees usually know they’re breaking the rules, but feel the pressure of their workload and what they regard as relatively basic requirements justify the breach.

Shadow IT can also occur if a client insists on sharing large files via an application that isn’t approved. This can be tricky for both the client-facing employee and the IT function, especially if it involves a major client.

The use of WhatsApp or similar apps for messaging among small work teams or groups is also one of the most common forms of shadow IT, usually because it is so convenient. However, using the consumer-grade version not only has risks around data privacy and security, but can also have potential safeguarding issues with a person’s private mobile number exposed to colleagues. 

What are the risks?

As an in-house lawyer, you’ll need to be aware of the risks and issues associated with shadow IT. While it’s essentially the domain of the IT or the risk management function, a successful approach towards shadow IT will benefit from your input.

Potential risks of shadow IT include:

  • Personal or client or market sensitive or commercially sensitive data being held in servers in the wrong jurisdiction;
  • Personal or client or market sensitive or commercially sensitive data not being held securely, increasing the risk of a data breach. Many shadow IT solutions provide consumer-grade, rather than enterprise-grade, security;
  • Personal or client data being held on servers that don’t satisfy your organisation’s security polices, protocols and standards and/or those of applicable regulatory bodies that regulate the company, particularly in relation to who has access to the data and who owns it. The terms and conditions of an application may imply ownership and right of access to your data. They may also provide insufficient security measures and/or inadequate encryption;
  • Reputational damage if documents are discovered or found to be vulnerable,  even if the data is non-sensitive;
  • Increased risk of potentially serious cyber-security issues; 
  • E-discovery processes being incomplete, exposing the organisation to legal risk;
  • Inability to comply with regulations such as the Sarbanes-Oxley Act;
  • Inadvertent disclosure of personally identifiable data and other data privacy issues; 
  • Sensitive data being left forgotten on servers in perpetuity. As small providers get acquired or go bust, organisations can lose control over what happens to their data;
  • Information being lost into the public domain when those shadow devices (such as a home PC or home printer with memory) are "end of lifed" by the owner; and
  • Undermined disaster recovery and business continuity processes.

Users can make shadow IT even more problematic by not:

  • Implementing two-factor authentication on the software they’re using. Many providers offer additional security by requiring a code to be sent to a mobile device to log-in. However, this feature is often optional and many people don't bother with it;
  • Varying their passwords across different applications or changing them regularly enough. Using the same password is now a real issue, as significant data breaches involving Yahoo and others, exposing log-in details used on other systems, has shown; and
  • Encrypting or securing their devices. Given the number of laptops and mobile devices lost every year, this is an area of real risk.

Regulators and clients may be concerned if they feel your organisation lacks policies, controls and measures to combat shadow IT.

Are there any positives?

There are. In some cases, shadow IT can drive efficiency and increase collaboration where corporate applications are not meeting needs.

It can also help drive innovation, promote creative uses of IT and show IT functions what type of applications users need.

What can you do about shadow IT?

Because shadow IT is employee-driven and often occurs outside the workplace, it’s almost impossible to prevent entirely. A heavy-handed approach could cause resentment and make employees feel patronised or untrusted. With this in mind, we recommend the following five-stage approach.

1. Meet your employees’ needs

Prevention being better than cure, the most effective way to reduce shadow IT is to provide the services employees need to do their work. In particular, by providing applications that allow them to access files on private and mobile devices and share documents with third parties. Placed in the context of avoiding a Data Breach fine or a breach of a confidentiality indemnity in a customer contract; a wider issue of company phones and laptops could look very cheap.

Allowing some use of popular apps can also be a successful approach. This will, of course, have to balance against budgets, security policies, infrastructure and the need for central control.

2. Have clear policies and guidelines

Processes for new joiners, annual professional declarations and terms of use for technology at work should all cover shadow IT and be clear about what is and what isn’t permitted.

Processes for people leaving the organisation should include guidelines for shutting down any shadow IT systems or removing relevant data and files from them. Include any sub-contractors in these processes.

E-discovery processes may also need to cover known shadow IT systems in use.

Also, implement an organisation-wide policy for grading the sensitivity of information and controlling its availability. For example, you wouldn’t want people posting information graded “Highly confidential” on an intranet accessible by all employees. Make your grading easily understood and universally known among employees and ensure that it is followed "tone from the top" is key. Related zero trust policies relating to who can access which system can also potentially reduce the damage and fall-out caused by shadow IT. 

3. Awareness and training

User education is the key to reducing shadow IT. Try:

  • Including it as part of any related cyber security awareness programme;  
  • Including information about shadow IT in employees’ appraisal processes;
  • Circulating news stories and research studies about the subject among employees;
  • Introducing e-learning programmes;
  • Making shadow IT part of any annual professional declaration process your organisation operates; and
  • Ensuring employees have access to memorable and easily digestible assets.

In larger, or multi-site organisations, effective communication between the central IT or legal function and people based remotely will help drive compliance and reduce the chances of different divisions doing their own thing.

4. Understand the use of shadow IT

Carrying out research into the use of shadow IT by surveying and interviewing employees – as well as using data from any monitoring tools – can help you to understand the level of the problem and what can be done to migrate for it. Carrying out research can also be a useful awareness exercise, as some employees may not even know the extent of risk associated with their use of shadow IT.

5. Operate a safe environment

This means putting monitoring tools in place, blocking access to particular tools from within the network, applying appropriate due diligence on solutions deployed, activating mobile device management, having effective device and company system access control issue, control and recovery policies and processes in place which are tied to role based needs.

Generally, IT functions will be the leaders in reducing shadow IT, but you can help by influencing policies and guidelines and contributing to user education. If you feel your IT function is a little too relaxed about shadow IT, raise your concerns with your departmental head or the chief information officer (CIO).

Remember a regulatory disclosure requirement, a dawn raid, litigation discovery or even just subject data access request will happen at some point so you need to understand how your company's systems and processes run and are checked and who runs them (and because of these probable events you have a clear mandate to do so).

The National Cyber Security Centre guidance on shadow IT lists a number of technical migrations covering areas such as network access control, up-to-date asset management, network scanning, using Cloud Access Security Brokers (CASB) and Unified Endpoint Management (UEM) tools. 

Conclusion

The use of unauthorised technology by employees is commonplace and represents a risk for organisations. In-house legal teams can help their colleagues in IT by understanding the issue, setting the right policies and guidelines and helping educate employees of the associated risks. It may not eliminate shadow IT entirely, but it can help reduce exposure to risk as part of a holistic approach to the issue.