What is shadow IT and how do I manage it?

What is shadow IT and how do I manage it?

Jenn Marshall by Jenn Marshall on

This is the first in a series of four posts about shadow IT, including how and why teams use unapproved apps and devices, and approaches for securely managing it.

Whether or not you’re familiar with shadow IT, know this: it’s everywhere. Fighting it is like playing a game of whac-a-mole: Try to eliminate it and it will pop up again elsewhere.

So what’s IT and Security to do? A more realistic approach is to enable and secure it, so you can leverage the benefits of shadow IT without the security vulnerabilities it brings with it. Read on to find out how.

For a complete overview of the topics discussed in this series, download Managing the unmanageable: How shadow IT exists across every team – and how to wrangle it.

In this series, we’ll cover:

  • Why shadow IT is a thing
  • Worker burnout and its impact on shadow IT
  • Common security vulnerabilities in HR, finance, marketing, and developer workflows
  • How IT teams can adapt
  • Understanding developers’ unique secrets management needs

What is shadow IT?

Traditionally, employees used the software applications provided and licensed by their company to do their work. IT and security teams were effective gatekeepers, securing and managing access with identity and access management (IAM) tools like single sign-on (SSO).

Today, there’s an app for… everything. Grammar checking apps. Language translation apps. And a whole new, emerging category of AI apps. The choices are many and they are compelling. In fact, in 2021, 1Password research revealed that more than 60% of respondents said they had created at least one account their IT department didn’t know about.

That’s shadow IT: any technology (usually a personal device or a cloud service) employees are using without the Security or IT department managing it – and sometimes not even knowing about it. You may think there’s not much shadow IT at your organization, but the reality is that it’s there, and you’ll find it across any number of teams. If Microsoft Word isn’t managed by IT, it’s shadow IT. Same if workers are using Google Docs for collaboration, or Dropbox for file sharing, or any other cloud service.

While employees adopting “unofficial” websites or apps may seem like no big deal to some, IT and security teams know that entering company information or client data on these websites and apps can cause vulnerabilities that may result in a data breach.

Benefits of shadow IT

Why do employees use shadow IT? Why are they making security and IT’s job more difficult? First, most employees probably don’t realize the impact their actions have on security and IT.

Second, there are benefits to shadow IT. Use of shadow IT is not malicious. It’s about productivity, innovation, meeting deadlines, and doing good work. When the work pressure is high, employees look for tools to help. When someone’s on a tight deadline, security risk is often the last thing on their mind – especially if they’re feeling stressed or burned out (we’ll touch more on the security challenges of worker burnout in the next post).

So people will simply turn to the tools that help them get the job done.

Examples of shadow IT

What does shadow IT look like in the wild? There are countless examples of shadow IT, and use varies by team and role.

For instance, finance teams need to quickly share data with external partners like auditors, board members, or investors. HR teams commonly use external platforms for recruiting and hiring. And the marketing department wants apps to streamline tasks like customer relationship management (CRM), project management, and collaboration with external partners.

If there are no apps in the suite of company-managed tools with the functionality they’re looking for, workers will solve those inefficiencies themselves with shadow IT.

A growing problem: shadow IT security risks

Survey says: Nearly three-quarters of North American companies have deployed single sign-on (SSO) tools. But despite that adoption, 30% of applications used by employees are not managed by the company.

Why? In addition to the plethora of apps at their disposal, hybrid work environments enable employees to split time between home and office. Some remote-first companies no longer even have office space, making bring-your-own-device (BYOD) even more common.

And when working from home, employees may be more relaxed about security risks, opting for the convenience of personal devices such as laptops or smartphones when accessing work emails and documents. One survey shows that 55% of employees say they use personally owned smartphones or laptops for their work at least some of the time.

Just like they find apps for personal use, many employees do the same when it comes to work – creating accounts for apps without going through IT, either because they aren’t thinking about security measures, or because they just want to get something done.

The uptick in app usage is huge: a Gartner survey shows that the average employee uses 2x more SaaS applications today than they did in 2019.

Why SSO isn’t enough to mitigate risks of shadow IT

While single sign-on (SSO) tools are an important first step for securing access to enterprise tools, they fall short when it comes to managing shadow IT.

SSO can only secure access to apps the company or IT department knows about. Shadow IT, by definition, is a blind spot. This leaves critical gaps in a company’s identity and access management strategy. Those gaps are shadow IT.

There’s also a cost factor: it can be expensive for tools to be integrated and managed by an SSO vendor, with some software-as-a-service (SaaS) apps charging extra to be put behind SSO – a cost known as the SSO tax.

If SSO tools aren’t sufficient for managing security risks of shadow IT, what should companies do? Fight it? Try to stop shadow IT use? That’s unrealistic and unsustainable. The only viable path forward is to embrace it.

A new approach: embracing shadow IT

When nearly a third of applications used by employees aren’t being managed by their companies, it’s time to pause and figure out a better path forward.

You can’t realistically eliminate shadow IT. Therefore, the challenge is to enable and secure it so teams can access the tools they want to use, but in a secure way.

This can be achieved by making sure that each employee – on every team and across different data access points – has comprehensive protection. Approaching the issue at the individual level is important because shadow IT looks different for different roles and departments.

Where do you start? It’s most important to secure credential sharing and standardize how access to tools happens – so you can secure that access.

For example, for the finance team, access to things like bank accounts needs to be locked down – and they need secure methods for file sharing. For marketing teams that use and test apps like social media and messaging platforms, it’s critical to make sure only approved team members have the appropriate access to social profiles.

Applying the principle of least privilege (PoLP) can also help. That means making sure that employees have the minimum amount of access they need to do their jobs. For example, HR probably doesn’t need access to marketing analytics or campaign spend details.

It’s up to IT and security to figure out how to secure and enable these systems. 1Password can help. 1Password is an enterprise password manager (EPM) that provides teams with a centralized solution to use, access, and share critical company data with role-based access controls and ensures employees adhere to your security policies. EPMs can help you make the easy way to work the secure way to work.

Bring shadow IT into the light

Shadow IT is here to stay. It will likely continue growing, especially as new cloud services like generative AI garner wider use. And as it does, if left unchecked, it can increase your company’s attack surface, expose sensitive data (sometimes inadvertently), and increase the risk of a data breach.

In other words, no cybersecurity plan is complete without addressing shadow IT.

In the coming weeks, we’ll explore shadow IT in more depth here on the 1Password blog, including how to do more with less with valuable IT resources. In the meantime, you can learn how to manage shadow IT, shore up your data security, and protect your company against cyberattacks by downloading Managing the unmanageable: How shadow IT exists across every team – and how to wrangle it.

Managing the Unmanageable

Learn why teams like Finance, Marketing, and HR use shadow IT, the security vulnerabilities that can follow, and how to manage it all.
Download now

Contributing Writer

Jenn Marshall - Contributing Writer Jenn Marshall - Contributing Writer

Tweet about this post