Shining a Light on Shadow IT

Categories : Procurement Goals | Reduce Risk | Improve Credibility Published on : Aug 29 2018

What is Shadow IT?

Shadow IT refers to any IT applications, services or tools that are not approved or integrated in an organization’s IT network. The software may be unlicensed and is not controlled or authorized by the organization. Typical shadow IT applications include file transfer, data exchange and team collaboration tools, task managers, messaging programs and other software. Some popular examples of shadow IT applications include messaging services such as Google’s email and chat features or DropBox’s data storage solutions.

Why are businesses using shadow IT?

The use of shadow IT has been growing among businesses due to the immediate access and lack of installation and implementation times that many unauthorized applications provide. Having software and services implemented through an organization’s internal IT systems, on the other hand, generally takes a substantial amount of time. Moreover, the traditional implementation process of new software generally impedes any projects that require the short and immediate use of the software or service. By using shadow IT software and services, employees are able to circumvent the long IT vetting process and immediately use the (often free) software to get their tasks completed.

Moreover, during the three years to 2018, ProcurementIQ estimates that the percentage of services conducted online has increased 4.8 percentage points as more businesses use the internet to conduct operations that were formerly done in person. Due to the increased use of online applications, more businesses are experiencing a rise in shadow IT usage.

How much are businesses and employees actually using shadow IT?

According to a 2016 study conducted by Microsoft, 80% of employees admitted to using a nonintegrated or nonapproved software to conduct on-site work, and the trend is only rising. Furthermore, research from NTT Communications has indicated that 78% of decision-makers have used third-party cloud applications without the knowledge or approval of their internal IT departments, which creates uncertainty as the internal IT department does not know what risks users are being exposed to.

What are the dangers and risks of having employees use shadow IT applications?

Data security has become an increasingly important issue in recent years. Many organizations handle highly sensitive information, such as the private information of clients or closely guarded intellectual property. Moreover, several security breaches that resulted in the theft of private client information have occurred over the past three years. Such occurrences not only expose highly confidential information, they also harm brand credibility for those companies that experienced the data breach.

The largest danger related to shadow IT is that the level of application security is not able to be controlled or monitored by the organization. For example, an employee of an organization may use a file storage and data transfer application to move sensitive files to other employees. This creates risk because the security of the files is out of the control of the organization and is instead in the hands of an employee that may not exercise proper precautions to safeguard the information. Using these unsanctioned applications puts the company’s private information at risk and creates the potential for liability, financial loss or the theft of intellectual property.

Furthermore, the implementation of shadow IT can potentially lead to the installation of malware onto the organization’s IT systems. Facebook, Skype and Twitter are some examples of the most popular sites that often lead to malware. Users may click on misleading links to malicious applications without realizing that they are introducing their organization’s systems to harmful software. In highly sensitive markets where quick and accurate access to information is crucial to carry out tasks, malware that is introduced into the organization’s systems can disrupt operations or lead to the theft of sensitive information, such as intellectual property, merger and acquisition plans or financial performance of the company. Also, malware installed as a result of the use of shadow IT could potentially interfere with regulatory compliance. For example, data theft on the financial performance of a company prior to an official earnings release could harm potential shareholders of the company. As a result, these instances of data theft could lead to issues with SEC compliance where information about company performance must be distributed to the public in a specific manner.

Where can businesses go for help with shadow IT?

Due to the increasing use of shadow IT, businesses are advised to refer to data privacy consulting services. These services help buyers design secure network databases to prevent unauthorized third parties from accessing buyer’s data. ProcurementIQ estimates that the average price for data privacy consulting services in 2018 is about $301 per hour; however, prices range from $75 to $450 depending on the needs of the buyer. In the past three years, demand for data privacy consulting services has been growing due to a rising number of high-profile data breaches among the world’s largest companies. According to ProcurementIQ, rising demand for data privacy consulting services has prompted estimated annualized service price growth of 1.4% in the three years to 2018.  Over the next three years, cyber threats are expected to become more advanced and demand for data privacy consulting services is projected to grow faster, resulting in forecast annualized price growth of 2.5%.

What are shadow IT best practices?

The use of shadow IT within an organization indicates how existing IT infrastructure is lacking. By understanding what shadow IT applications their employees are using, companies can assess better ways to integrate such functionality into their own IT ecosystem to reduce any potential loss or damage to their IT assets. However, it is important for businesses to quickly assess the risk of any shadow IT applications immediately before any other considerations are made.

  • Discuss with the procurement department the potential to purchase services and/or hardware that will ensure data safety. Products and services that can ensure IT safety and compliance include data privacy consulting services, network firewall security equipment and data masking software.

  • Determine how much shadow IT is being used within the organization. Many businesses can use automated software tools from cloud access security brokers (CASBs) such as Skyhigh Networks, Symantec and Netscope to determine the impact of shadow IT and develop solutions to mitigate risk. However, some companies may require the manual discovery of shadow IT through either employee surveys or the monitoring of data usage.

  • Upon determining what types of shadow IT are being used, buyers should assess the need for controls and restrictions. Businesses should determine the riskiest shadow IT applications and be sure to control, eliminate or ban them. The organization’s IT department can ban certain sites or communicate with employees about pertinent shadow IT policies.

  • Procurement can explore if there are business or enterprise versions of the shadow IT applications that employees use the most. For example, Skype for Business or Dropbox Business will allow employees to continue using the technology they love, but the organization will have more control over the security of the application.


Learn more about pricing trends and outlooks in the IT sector

By: Andrew Krabeepetcharat, ProcurementIQ Analyst


Looking to mitigate risks due to shadow IT but don't know where to start?

Request a Free Trial to get 2 weeks of unlimited access to our research reports, so you can get a head start on understanding your stakeholders' needs while protecting your company from shadow IT.  

More from Procurement Insider

  • Articles & Insights

Resistor Shortages: What You Need to Know

  • Reduce Risk , Supply Chain Disruption, Risk Management, Supply Chain Management
  • Articles & Insights

The Blueprint for Supply Chain Resilience

  • Reduce Risk , Evaluate Supply Market, Reduce Risk, Set Strategy , Supply Chain Disruption, Supply Chain Risk
  • Best Practices & Case Studies

Procurement, Do You Know Your Rights?

  • Reduce Risk , Conduct RFP Strategy , RFP, Supplier Relationship Management, Stakeholder Management
  • Articles & Insights

Risk in Procurement: A Negative or Positive?

  • Reduce Risk , Set Strategy , Business Risk, Supply Chain Risk, Procurement Strategy