Shadow IT is the use of unsanctioned systems and technology:
- Individual employees or departments typically adopt it to meet a specific need.
- It is introduced to enhance productivity or to resolve immediate problems and challenges but gradually becomes embedded into the business.
- The deployment bypasses a formal IT procurement and approval process.
- Often, it becomes part of a business-critical process without awareness within the IT or Information Security departments.
- Documentation is not always readily available, if it exists at all.
The proliferation of Shadow IT introduces many risks:
- Information security is a significant concern with Shadow IT as unapproved software and services may not adhere to the implemented security standards and leave data vulnerable to cyber-attacks.
- Shadow IT can result in non-compliance with industry regulations and legal requirements, leading to fines and reputational damage. Uncontrolled IT systems could, for example, bypass data retention policies.
- The IT and Information Security departments lose visibility and control over technology, and that can disrupt troubleshooting, security monitoring, and ongoing maintenance.
- Unsanctioned IT solutions can lead to unexpected expenses such as:
- Needing to find specialised skills because of staff turnover
- Replacing the system with an approved alternative
- Integrating processes into existing solutions
- When employees use unapproved software tools, it can lead to:
- Information stored in multiple locations without managed data backups
- Data fragmentation or data loss, and consequently, the use of incorrect versions of data or incomplete data sets to make decisions.
Countermeasures for addressing Shadow IT include:
- Raise awareness throughout the business about the risks to ensure employees understand the importance of IT policies and procedures.
- Develop and communicate clear IT policies and guidelines for requesting new software solutions.
- Implement IT governance that involves key stakeholders in the decision-making process for IT purchases.
- Maintain an inventory and assess the IT environment to identify unauthorised software or services.
- Work closely with business units to understand their needs and make it easier for employees to use approved alternatives that fulfil their requirements.
- Encourage open communication between IT and other departments to understand their needs and challenges.
- Implement robust security measures to mitigate Shadow IT risks.
- Provide training and support for employees in using approved IT solutions to reduce the motivation to seek or develop unauthorised alternatives.

Information security, risk management, internal audit, and governance professional with over 25 years of post-graduate experience gained across a diverse range of private and public sector projects in banking, insurance, telecommunications, health services, charities and more, both in the UK and internationally – MORE