Managing the Unseen: Shadow IT and Its Security Risks

Posted: 1st June 2022
By: Sara Jelen

Editor’s Note: The following post is an excerpt. To read more, click here.

Cloud computing is beneficial. Many organizations already know this and are reaping the benefits cloud adoption has brought them: reduced IT costs, scalability, collaboration efficiency and, above all else, flexibility in accessing storage and software to meet their needs. Users can now more easily engage services and solutions that will make their everyday jobs easier.

That flexibility, however, is a double-edged sword. And you might be wondering how it can possibly be a bad thing—especially when it makes everyone work more efficiently. The thing is, many of those solutions and software your employees gain access to aren’t under the governance of your IT department. While IT usually enforces policies that dictate the software, hardware, and other resources used within the organization, with oversight regarding how they’re used, the introduction of cloud computing means users can much more easily access resources they need with limited visibility from IT. So yes, using these resources can improve productivity, but their introduction without the governance and approval of an organization’s IT department can lead to numerous security risks, data loss, non-compliance and exponential growth of the attack surface.

What is shadow IT?

When something is in a shadow, you don’t know what it is. You don’t know if it’s malicious or completely harmless. How can you even begin to handle and manage something for which you have no overview? Well, your organization’s IT has its own shadow. It’s appropriately named “shadow IT”. Shadow IT is the use of systems, devices, software, apps and services without approval from an organization’s IT department. Most users who employ unauthorized solutions don’t do it with any ill intention but to be more productive at their job.

Shadow IT can include:

  • Hardware and physical devices - smartphones, tablets, IoT, flash drives, external drives
  • SaaS, PaaS, IaaS, and other cloud services - productivity apps, messaging apps, cloud storage
  • Data repositories such as spreadsheets with internal data
  • APIs
  • VPNs
  • Commercial off-the-shelf software

Shadow IT is not all bad, though. While some may view it as a potentially dangerous nuisance that needs to be addressed and prevented, others see it as an innovation-driver and the natural manifestation of an ever-changing business environment’s constant need to catch up. No matter what your stance on shadow IT, it’s here and it’s staying.

Why is shadow IT so prevalent?

If there are employees in an organization, there is shadow IT. Statistics show that 80% of end users use unapproved software and services. There was a time, under the shadow IT umbrella, when we saw a lot of software that impatient employees had downloaded and used, but it wasn’t as prevalent as all of today’s packaged software nor as easy to engage. Definitely not as easy as a click of a button—which the adoption of the cloud has introduced. Shadow IT now includes personal technology and devices employees bring in, which is propagated with remote work and BYOD policies.

Rapid growth of the business landscape has increased the need for additional applications that can make employees’ daily tasks easier and more efficient. With numerous businesses, productivity, storage, automation, and other applications available in the cloud, they drive innovation, productivity and efficiency. It’s easy to see why they’re so enticing and why employees don’t hesitate to download and employ these apps. Some corporate solutions might not only be incompatible with users’ devices, they might also be slower, outdated and less effective. Combine this with the often long and tiring process of seeking approval from an IT department, and we can begin to see why shadow IT is continuously growing.

One thing is certain: shadow IT is inevitable, so it wouldn’t be fruitful to “fight it,” but to understand its risks and the appropriate way to manage it.

Risks associated with shadow IT

There are numerous cybersecurity risks associated with unmanaged and ignored shadow IT in an organization, and some of the more prevalent are:

Lack of visibility

Certainly the main security risks of shadow IT are the lack of visibility and control over an organization’s network and infrastructure. And lack of visibility is what actually causes all the other risks here: it opens up numerous access points for malicious attackers to exploit.

Without seeing and managing all parts of their infrastructure, IT teams are unaware of activity and interaction with their resources, whether they’re secure, and what kind of data is involved and potentially exposed.


Organizations are subject to various laws, regulations and standards—and failure to adhere to them can result in lawsuits, fines, brand reputation and loss of business. Introduction of shadow IT and the use of unmanaged apps and software can make it harder for organizations to comply with all of those regulations. In fact, the mere use of shadow IT itself can be considered a violation.

Data leaks

Any application has its own privacy controls and security measures. Sometimes their security is up to par with an organization’s usual requirements for approved IT, but other times they can be riddled with vulnerabilities, through which malicious actors can gain access to users’ data. Even if an app has good security controls, not all employees are tech-savvy enough to know how to use it securely. Maybe there’s a vulnerability—and even with a patch issued, who can guarantee that employees would perform regular updates?

When no one manages shadow IT, apps and services transmit and process unsecured data, which can cause data leaks and much worse.

Increase of attack surface

An organization’s attack surface is its entire network and software environment that’s exposed to malicious attackers. It also refers to all of the ways in which your apps can be exploited by them. And it of course includes shadow IT—the more apps and services involved, the greater the attack surface and number of entry points your network offers to attackers.

Shed light on your shadow IT with Attack Surface Intelligence

Attack Surface Intelligence can increase your awareness of your internet-facing infrastructure by providing you with a detailed digital inventory of all critical and shadow assets. With our simple and automated asset analysis, you’ll be able to detect and understand different security risks these assets pose to your organization. And that’s not all—to be truly proactive about your shadow IT, you’ll also be able to detect any changes across your entire online infrastructure, and be notified when any new changes are made.

To ensure a good overview of your infrastructure, and if and where you have shadow IT, request a demo of Attack Surface Intelligence today.

Editor’s Note: The following post is an excerpt. To read more, click here.