Today and for several years, in a company's information system, the emergence of the phenomenon of "Shadow IT" or "ghost IT" is undeniable.

Shadow IT refers to the use of software solutions within an organization that have not been officially approved by the ISD. This can range from unauthorized applications and cloud services to the use of personal devices for work.

Shadow IT emerges primarily from employees' desire to improve their productivity with simple and modern digital tools, often bypassing official procedures in the process.

However, although it can improve individual and collective productivity, it includes significant risks, often overlooked, for the organization.

But how does Shadow IT appear?

If users resort to Shadow IT, it's because they think they don't have the solution in the existing IS to meet the need.

This can also be linked to efficiency: In their personal lives, users have gotten used to using applications with highly polished ergonomics: On their smartphones or software ecosystem, publishers have done significant work so that usage is optimized. Back at the office, these same users can be disappointed with business application interfaces and may then think of alternatives encountered outside the company:

The use of Dropbox and Google Drive has exploded in companies while the latter may have invested heavily in an EDM (Centralized Document Management). But usage is often much simpler and numerous integrations are possible.
Why use a CRM largely complexified by numerous management rules when one can do a CSV export into an Excel table and transmit it between teams?

Notwithstanding the potential problems, users ultimately find the results they are looking for with these tools. They are quite often ahead of implemented business solutions, notably in terms of ergonomics, performance, collaboration features, and integration possibilities.

In summary:

The best tool to meet a need in a team is not part of the applications "approved" by the ISD. This often pushes users to adopt an additional service that helps them meet a specific professional need, gain a competitive advantage in their market, or collaborate more effectively.
Users are not aware of the security risks inherent in Shadow IT: Users may not deliberately try to bypass controls put in place by their IT department, but they simply ignore that their actions can compromise sensitive company data and increase the risk of data breach and attack.

In what forms is Shadow IT found?

Shadow IT can present itself in different formats.

Excel workbooks including macros: We often forget it, Excel files multiply quite quickly within a company. Some then become structuring for a team's activity and if one is a bit of a tinkerer, one adds intelligence to it through macros or advanced formulas. In itself, this becomes a small application on its own.
SaaS Applications: The SaaS ecosystem is growing every day. It is now the preferred deployment mode for publishers and this allows notably great ease of deployment. Business teams then seize their credit card and can use a new application solution without anyone's help.
Native Applications: Depending on the level of rights granted to employees, it is quite possible to also find native applications installed on user workstations, without ISD approval.
Application projects without calling the ISD: In certain organizations, perhaps in certain teams, it is common to think that certain projects must be led by the concerned business. This is sometimes the case for communication or marketing needs: A Wordpress or Webflow site is deployed quickly and this one becomes complex and then requires data exchanges with other "blocks" of the information system.
BYOD: The use of personal devices is quite often framed by the ISD (via a PGSSI or a dedicated policy). Only it is very tempting for a user to open and exploit an application initially installed for personal use. It is difficult to impose a border between personal and professional use.

The Risks of Shadow IT

Despite the apparent advantages for the user (productivity, ease of use, autonomy), Shadow IT presents certain risks. The most important is undoubtedly that linked to security. Indeed, tools used without control are not always up to date in terms of security and can thus represent a potential flaw for the company.

Furthermore, Shadow IT can also imply legal risks. The use of unauthorized software can, for example, lead to license violation, putting the company in an irregular situation.

Management and maintenance of computer systems can also be complicated by the unauthorized use of hardware and software. This can lead to an increase in costs and complexity of operations.

Cybersecurity Risk

Since the ISD does not know them, it cannot control the security level of Shadow IT: Authentication, the application's own security level, or the sensitivity level of data cannot be evaluated in a vulnerability audit or taken into account in the control of an ISMS (Information Security Management System).

Compliance Violation

Organizations may unknowingly violate data compliance laws. For organizations that must comply with data protection regulations (for example, GDPR), it is imperative that they have the ability to track and control how data is processed and shared. When employees use unauthorized tools to process sensitive data, they can inadvertently put their organization at risk of violating these laws, which can lead to heavy penalties and fines.

Data Leaks

Sensitive data can be compromised or stolen. Attackers can exploit configuration errors and vulnerabilities of services hosted in the cloud, thus opening the way to data breaches and other cyberattacks. These attacks can be conducted without the IT department's knowledge, particularly when they target unapproved (and possibly unsecured) applications and tools. And remedying these attacks can prove costly: in a study carried out in 2020, IBM estimated that data breaches caused by cloud misconfiguration cost on average 4.41 million dollars.

File sharing is a common practice that makes firms vulnerable in several ways.

First of all, it opens the door to data exfiltration and can become very dangerous if malicious software performs an unauthorized data transfer. Sensitive data can be captured, destroyed, disclosed, and even sold.

Document sharing tools also allow users to surpass normal attachment sending limits. Malicious individuals could download and store huge amounts of corporate data. Even well-meaning business users can send document sharing links by email without realizing that the data contained in these files are thereby exposed to dangers.

Lack of Integration

In France, we talk about Information System Urbanization: Data exchanges and processing must be mastered, sometimes rationalized so that the IS is built to support the company's strategy.

Shadow IT escapes the ISD which cannot therefore take it into account in its application mapping nor in the optimization of business processes. Applications appear without coherence.

Additional Costs

Shadow IT causes the appearance of application duplicates in the company:

The same application may have been subscribed to several times by different teams. Costs will very often be higher than a single instance deployed for several entities.
For the same need two different applications but functionally comparable are subscribed. This can be the case for project tracking applications like Trello and Monday for example.

How to manage Shadow IT?

Managing Shadow IT is a challenge for ISDs because too strict an approach could harm productivity, while a lax approach could increase associated risks. Some strategies are suggested:

Knowledge and understanding: It is crucial to identify the extent of Shadow IT in the company. Application mapping solutions like Kabeen are useful for this.
- Shadow IT detection: Shadow IT detection tools help IT teams track and analyze systems and services used, which allows creating policies to authorize, restrict, or block certain tools.
- Use a Cloud Access Security Broker (CASB): A CASB allows securing applications and services in the cloud thanks to various security technologies. It often presents itself in the form of a proxy in the company.
Education and communication: Once the risks of Shadow IT are identified, they must be clearly explained to all employees. Training on good IT practices could be useful.
- Improve employee training in risk management: Employees may not be aware of the risks of shadow IT. Training on best practices can help alleviate this problem.
Propose secure alternatives: Often, employees resort to Shadow IT because official tools do not meet their needs. By proposing ergonomic and secure alternatives, the IT department can mitigate this phenomenon.
- Communicate with employees about their tool needs: Creating an open and blame-free discussion environment can help identify employees' specific needs in terms of tools and promote a safer work environment.

Conclusion

In summary, Shadow IT, although able to increase individual productivity, presents indispensable risks to anticipate. A balanced solution must go through a clear IT policy, good communication, and the implementation of secure and ergonomic tools meeting employees' needs.

In sum, Shadow IT constitutes both a challenge and an opportunity for companies.

It is crucial to understand that its use is not simply a refusal to comply with internal policies, but a sign that existing technological tools may not meet users' needs.

Rather than banning it totally, it would be beneficial to channel this initiative by offering secure alternatives that respect company requirements while meeting user expectations.

This requires constant user awareness, robust IT governance, and a proactive effort to identify and control Shadow IT within the organization.

What is Shadow IT?