Understanding Shadow IT: Risks, Benefits & Solutions


What is Shadow IT?

The term Shadow IT refers to information technology applications, software, systems, services, and endpoint devices that are utilized by an organization’s employees and/or end users without their IT department’s approval and support, and oftentimes operate outside of the enforcement of protective policies, data loss prevention strategies, and recovery solutions.

Read on for insights on Shadow IT impacts, benefits, risks and solutions from surveyed industry leaders and our experts.

Want more info? Download the full Shadow IT trends report here.

How Common Is Shadow IT?

When Storagepipe and Gartner Peer Insights polled 349 technology leaders and decision makers, over three quarters of respondents (78%) replied that Shadow IT is currently occurring at their organization.

Shadow IT - Storagepipe

Is Shadow IT Good for Business?

The question of whether Shadow IT is good for business is a controversial one. When surveyed, tech leaders whose workforces are actively participating in Shadow IT had split opinions with 41% replying that the practice has had a positive impact on their organization, while 39% replied that it has had a negative impact.

While the above stats show that general positive sentiment outweighs the negative among those who use Shadow IT, when the extreme ends of the scale are examined, only 1% think that it has had a strong positive impact, while 3% report a strong negative impact.

Another curious detail is the 15% of respondents that replied that Shadow IT has had no impact, which begs the question: if there’s no positives to be gained, why keep it in practice?

Shadow IT - Storagepipe

When the data from all respondents (those that do and don’t have Shadow IT active today) is examined, 28% feel that Shadow IT is somewhat positive, 32% say it’s neither positive or negative, and 29% say it’s somewhat negative, suggesting an uneasy overall ambivalence.

That is, until you look at the extreme ends of the scale again. This time, 3% of respondents reply that Shadow It is very positive, and 7% reply that it is very negative.

Shadow IT - Storagepipe

What is driving such a mixed reaction, despite the potential risks? Let’s find out…

What are some potential risks of Shadow IT?

Since many organizations struggle to monitor Shadow IT data use or the extent of confidential, sensitive, or proprietary information sharing occurring, data leakage is a major, underreported problem that is going unaddressed in many organizations. Left unchecked, this usage may have larger cybersecurity, compliance and competitive consequences that are difficult to assess and fully appreciate until it is too late.

Shadow IT - Storagepipe

For example, “Organizations can’t protect what they don’t know exists,” shares Storagepipe CEO and President, Steven Rodin. “Shadow IT eliminates organizations’ ability to use their standard backup and retention policies or disaster recovery plan to recover affected data and applications. These systems exist outside of their control and create big gaps in data protection and business continuity that can result in critical and damaging data loss, downtime, and regulatory penalties.”

While it is tempting to value the upfront workload relief, smart technology leaders know that their IT workload will explode into an unmanageable mess the moment their company’s use of Shadow IT becomes a vector for a cyberattack, leads to customer data loss and compliance action, enables insider threat actors to walk away with intelligence and into the arms of a competitor, or a myriad of other equally damaging disasters occurs.

What are some potential benefits of Shadow IT?

Despite the risks, the use of Shadow IT is persistent and widespread across all industries and business sizes, suggesting that there are positives for employees and the companies where they work.

Surveyed respondents agreed, with 92% indicating that there are benefits to the practice, including increased innovation (50%) and improved end-user satisfaction (40%). Increased IT agility, improved end-user productivity, and reduced IT workload tied for third place (36%).

Shadow IT - Storagepipe

Organizations can learn from employees who utilize unapproved applications such as large file sharing and storage tools, project management software, appointment-booking and other aides for their personal and professional convenience. Companies can gain insights on where there are gaps in the approved technology stack, assess the benefits that these rogue tools deliver, compare against their evolving business needs, and potentially bring them out of the shadows and into the approved fold. This will enable the organization to benefit from their full potential while also enjoying protection and oversight from the IT department to reduce risk and effectively respond to incidents.

Are there hidden costs in Shadow IT?

Considering that ‘reduced IT workload’ benefit ranked high, there may be pushback from IT staff when asked to monitor and manage this additional workload and the dedicated resources and budget that requires.

Efforts are being made at many companies despite the challenges. Of the respondents whose workforces currently practice Shadow IT, 73% spend up to 20% of their overall IT budget on the practice.
Despite these investments, 74% shared that while IT has some oversight with Shadow IT, gaps remain.

Shadow IT - Storagepipe

Shadow IT Solutions: MDR (Monitoring, Detection & Response) and Disaster Recovery Planning

Shadow IT - Storagepipe

What if organizations could harness the benefits that Shadow IT delivers while proactively mitigating the risks in real-time and keeping their IT workloads and budgets under control?

As 13% of respondents with Shadow IT know, continuous monitoring and centralized control procedures can provide effective and comprehensive visibility and management. Also known as monitoring, detection, and response (MDR), this managed service is focused on the security of endpoints, the network, and the public cloud, providing visibility into the Shadow IT realm. Whether an end user plugged a device into the network or installed a questionable program on their computer, MDR can identify, assess, and resolve many issues introduced by Shadow IT before they become problems for the business.

Storagepipe always recommends a multi-layered approach to cybersecurity and IT-related business continuity. In addition to MDR, establishing organization-wide guidelines such as a disaster recovery plan (get our template here!) can help uncover and document Shadow IT elements, and consistent cybersecurity awareness training can inform and support employees to avoid risky behavior. Encouraging and where possible mandating Two Factor (2FA) or Multifactor Authentication (MFA) can help keep systems and applications secure, even those without official IT oversight.

Lastly, the first step that every organization should take in their data protection strategy is to implement a backup and recovery solution that can protect their on-prem, cloud, and SaaS data and systems, works for their budget and business model, and meets their Recovery Point Objectives and Recovery Time Objectives. After all, you can’t recover what you haven’t saved.

Want more insights about Shadow IT and quotes from leading technology professionals on how they’re approaching the challenges? Get the full Storagepipe and Gartner Peer Insights Shadow IT survey report here.

Want to see how these solutions can work for you? Contact us!