Despite its menacing name, the practice of Shadow IT—when employees work with unsanctioned software, hardware, or applications on personal or company devices—is as reasonable as the solutions it provides to sometimes stagnant or unrealistic company policies, such as using only email to communicate internally, when other messaging tools like Slack may be more efficient depending on the team and project.

What is Shadow IT?

Why does Shadow IT exist?

Impatient with the policy constraints of their IT departments, employees tired of red tape seek out more personalized tech solutions, such as Google Drive and Skype to help them conduct business more efficiently, but at the risk of the their company’s data security. A recent IBM survey showed that 33% of Fortune 1,000 employees are using external cloud-based platforms to store and share company data, making it vulnerable to hackers. While the implementation of these utility and content tools certainly satisfies workplace demands, it complicates data compliance for management and IT.

83% of 200 global Chief Information Officers report some level of Shadow IT use at their company. Evidently, the widespread use of Shadow IT reflects the habits and preferences formed in our age of digital transformation: we are encouraged to seek convenient, navigable, empowering, and personalized app-based solutions that promise to enhance and aestheticize user experience. Despite the general awareness of what behaviors Shadow IT encompasses, CIOs remain in the dark: 72% of the same 200 global CIOs did not know the scope of Shadow IT usage in their organization.

Ultimately, Shadow IT arose from a need to address urgent business tasks that outpaced the IT department’s resources, time, or awareness. The fissure in values between the business and IT arms of a company is not just rooted in some vague rivalry over how things should be done, but rather differing workflows, priorities, and limited communication due to a lack of shared responsibilities. Smith and McKeen’s study “Information Technology Budgeting” from Planning for Information Systems discusses how inefficient budgeting process, which consume 30% of management’s time, result in CEO-capped IT budgets that are “always less than the demand.” Still, compared to IT professionals, business employees are generally inexperienced with managing data and maintaining information security.

At the heart of the issue is patience and a society-wide depletion of it. Ideally, employees would befriend and ask an engineer or IT specialist to help them access the data they need rather than potentially corrupting files, which would lead to reduced productivity for both the business and IT teams. In this sense, the motivation behind Shadow IT appears to be an office culture characterized by minimal communication and interdepartmental collaboration. The undetected and unregulated use of Shadow IT at companies housing sensitive data is not just a security issue, but a policy issue that indicates a company’s health, culture, or lack thereof.

It’s also an issue of trust. A reason Shadow IT is such a ubiquitous yet insidious presence at organizations is because the cloud applications employees deploy are mostly known, branded, and verified applications like Dropbox. In other words, many employees prefer external solutions they are comfortable using to the processes and practices of enterprise IT and its channels.


Shadow IT Policies

While many companies do not have a Shadow IT policy, it is vital for large companies to have one in place. Compared to companies with fewer than 5,000 employees, companies with more than 5,000 employees are 23% more likely to have a cloud governance committee to enforce acceptable cloud usage. Despite the obvious value of these policies, data mishandling still occurs at international organizations. From their data analysis of an anonymous Fortune 500 company with 10,000 employees in “Shadow IT: A View from Behind the Curtain,” Silic and Back found that 15% of installed software was illegal, or noncompliant with company policy.

The allure of these instant, user-friendly solutions is no doubt more seductive for the average end user than consulting company-wide IT processes and practices, mobilizing approved solutions, and allocating resources in a way that is both on the record and approved by the company.


Cloud Access Security Brokers

The collaborative and knowledge sharing behaviors that encompass Shadow IT nonetheless remain a violation of information security. A compromise is in order. Integrating a Cloud Access Security Broker (CASB) to seamlessly enforce compliance, security, and governance policies is the reasonable solution to the issue. Next generation CASBs are not just monitoring and notifying admins of Shadow IT policy violations, but actually enforcing them.

Read our White Paper: The Avanan CASB

To simply rule out these helpful cloud services because of urgent security risks is a nearly impossible business choice. In
The Journal of Supercomputing, Ahmad wrote that “Cloud Access Security Brokers are quickly emerging as a must-have security solution for organizations looking to adopt cloud-based applications … CASBs can inspect traffic, alert on anomalous behavior, and … consolidate multiple types of security policy enforcement.” An effective solution to the elusive Shadow IT problem, CASBs secure cloud data, provide visibility, and mitigate risk. There’s just one problem: traditional CASBs only provide partial protection.

Because they rely on an intermediary server, or proxy model, most CASB solutions fail to provide comprehensive protection needed to truly ward off malware and hackers. In other words, hackers could easily bypass the system while employees experience performance and functionality issues like failed updates and reporting. However, with an agile tool like Avanan, a bundled security service that partners with industry leaders like McAfee and Splunk and uses proxy-free API deployment, companies in need of Shadow IT countermeasures enjoy fuller functionality and greater awareness than possible with traditional CASB solutions.


Shadow IT - Conclusion

With cloud-based services so embedded into the pixelated tapestry of our lives, surrendering technological autonomy begins to sound a lot like surrendering fundamental human rights. But Shadow IT and its potential consequences do not have to linger and persist in workplaces large or small. The file sharing apps and collaboration tools that comprise Shadow IT platforms can be easily assessed, regulated, and monitored. To combat the antihero that is Shadow IT, companies must standardize and stabilize cloud-usage internally and externally with advanced, cloud-native CASB solutions like Avanan. 

Secure Your Cloud Today | Free Trial