Top Five Risks of Shadow IT

What is “Shadow IT?” It may sound sinister, but it’s simply the practice of using software and other systems outside of—and without the knowledge of—your organization’s IT department.

As the use of Software as a Service continues to grow exponentially, so does Shadow IT. Employees now have the ability to bypass the software provided and managed by their IT department with other software that’s widely available for a low monthly fee or for free with the click of a button.

Why might employees use unapproved software? It varies from organization to organization. Sometimes employees believe it improves efficiency to use certain tools, or they believe they need those tools to do their jobs. Maybe they want to use software they’re already familiar with from a past job, or they simply grow impatient waiting on their organization to make a decision. They might even think they’re saving the organization money by not involving IT.

But Shadow IT brings risks. We’ll look at the five main ones in detail here.

1. Data Security and/or Loss

With the consumerization of technology, even a smaller organization may have hundreds of Shadow IT applications in use. If the IT department is not aware of tools being used, that means it is also not aware of where organizational data is being kept. This presents a security gap.

Although some applications are harmless, others include functionality such as file sharing, storage, or collaboration, which can present big risks to an organization—especially if these applications contain sensitive data.

• 39 percent of organizational data uploaded to the cloud is through file-sharing applications
• The average organization shares documents with 826 external domains
• Each employee uses on average four file sharing applications

If IT is not aware of these applications, they cannot support it with data backups—which means then they cannot recover any data that is lost. Nor can they ensure that these applications have the proper security settings in place to prevent bad actors from gaining access.

2. Compliance

Requirements for IT compliance are becoming increasingly stringent. No matter the organization, regulatory compliance is likely critical, with numerous standards to comply with—everything from GDPR to industry-specific regulations like HIPAA. The use of Shadow IT can potentially lead to fines for violating these compliance requirements.

Due to the inherent lack of control and transparency, unregulated public clouds make it impossible for companies to prove compliance with these regulatory requirements.

3. Finances

Compliance failures might lead to financial penalties being imposed on the organization or management. But Shadow IT can cost your organization in a number of other ways—for example, in revenue losses due to data loss or disrupted business processes.

Duplication of software can also cost your organization in operating and licensing fees. At a single nonprofit, staff might use different email, file sharing, sales and marketing automation, project collaboration, messaging, and other cloud capabilities.

For example, let’s say your organization has 200 employees with one department of 100 employees who prefer Slack over Rocketchat and another department of 100 employees who choose to use the Rocketchat app.

Your organization might pay $12,000 annually for 100 employees to use Slack and $24,000 for Rocketchat. That’s $36,000 per year for 100 people to use their preferred internal communications tool, much of it unnecessary—especially when your IT team might be able to migrate all of these tools to a free solution such as Microsoft Teams if the organization already uses the Microsoft 365 suite.

4. Inefficiencies and Productivity Losses

By nature, Shadow IT occurs without the knowledge of many people. Which means that, very quickly, an organization can have multiple staff members or teams using different tools or the same tool with different accounts.

Since each team is administrating its own software, there are often no standards or best practices, and employees are using the software with little training. This poses more risk than organizations that standardize on a single solution with a centralized administrator or peers able to provide support.

While nonprofits should aim for clear ownership and organization-wide best practices, sometimes you just need to get the job done—if your organization does choose to allow a staff member or department to implement and manage its own software, do it “eyes wide open” and make sure that the IT team knows who is responsible for that software in the case of a billing, support, or other issue.

5. Poor Decision-Making

Organizations can’t clearly manage what they don’t know or can’t measure. Shadow IT plays a role in this confusion—especially around compliance. But this lack of visibility surrounding data and how people make decisions manifests itself in lots of other areas that present a challenge to the business.

Managing Shadow IT is all about making intentional business decisions on the technology your organization uses. To do that, you will need the facts—start by gaining as much visibility as possible into what software your organization is actually using. Nonprofits need to plan budgets or make technology decisions for the months and years to come, but without visibility into what you have today, your challenge of planning for tomorrow becomes even more difficult.

Need help managing your organization’s software assets, tracking licenses and updates, or providing security or training? Tech Impact can help you manage and monitor your existing assets and select and implement new ones, reducing your risk to help you make more-informed business decisions. Learn more about how we can help you.