Shadow IT: The Hidden Risks of Employee DIY Initiatives

Shadow IT is incredibly common. Hybrid work, work-from-home, and bring-your-own-device scenarios have blurred the lines between work and personal IT tools. When employees feel that IT isn’t providing them with the tools or equipment they need, they’re more likely to look for their own solutions.

Employees and employers alike often see the behavior as “taking initiative” and “having an entrepreneurial mindset.” And while those are traits employers want to encourage, using non-approved technologies creates a risk known as “Shadow IT.” 

For employers, it can be tempting to look the other way, allowing employees to shoulder the cost and administration of using their own tools. Our goal is give you all the information so you can decide whether it is worth the risk.

What is Shadow IT?

Shadow IT refers to any software or hardware used by employees without permission from the IT department. Common examples include:

• Subscribing to SaaS apps like Canva to perform work functions
• Building low-code apps with Power Platform or other AI tools
• Setting up software integrations with Zapier, Make, or similar programs
• Using file storage services like Dropbox or Google Drive for work documents
• Using personal email accounts or messaging apps for business communications
• Using personal cell phones or computers for work purposes

While these actions often stem from good intentions, they can create significant security, compliance, and operational risks.

Risks of Shadow IT

Though it may seem harmless on the surface, Shadow IT can introduce serious issues:

• Security vulnerabilities: Unapproved tools may not meet company security standards. Customer information or other sensitive data may be stored or transmitted insecurely. Once information is stored outside of the company’s security perimeter, you have little to no control over how that information is used.
• Data loss and leaks: IT teams cannot protect what they don’t know exists. Lost devices or hacked accounts using shadow tools can lead to data breaches. We’ve seen companies lose vital data when an employee leaves because no one has the login credentials.
• Compliance violations: Companies subject to regulations (e.g., GDPR, HIPAA) risk non-compliance when data is processed through unauthorized channels.
• Operational inefficiencies: When employees are working outside of the IT framework, it can be hard to build integrations and workflows, leading to data silos and redundancy. These inefficiencies can create confusing customer experiences. For example, a customer may wonder why are they are still receiving emails from one department when they unsubscribed from marketing from your company.
• Increased overhead costs: If your employees are buying equipment and services on their own and submitting expense receipts, you may not realize you’re paying twice for the same tool or paying for software that no one is using.

How to reduce the risks of Shadow IT

IT Departments cannot possibly monitor or create policies for every scenario. Your goal should be to reduce the need for Shadow IT by providing the tools your employees need to work efficiently. Give your employees guidelines that are clear and communicate why IT policies are in place.  

Microsoft 365, Google Workspace, and other network security programs have administrative settings you can use to enforce security standards. Some of the most common ones we use include:

• Using a service to send all outbound traffic through a pool of IP addresses
• Not allowing users to forward email to an external domain
• Setting up Teams and SharePoint file sharing policies
• Using Microsoft 365 Defender and link protection
• Setting up Digital Rights Management
• Using endpoint management to scan all the attachments that come into an inbox and putting suspicious attachments into sandbox
• Creating email encryption policies with certain words
• Blocking users from going to p*rn sites or shopping sites
• Dynamically monitoring network traffic to spot anomalies, like sending lots of files to an external site or email
• Mandating anti-virus software on BYOD devices
• Limiting access to sensitive systems until employees have been there for 90 days
• Offboarding employees and consultants so they can’t access your materials
• Setting up a litigation hold to save a copy of every email
• Disallowing use of thumb drives
• Implement other monitoring and discovery tools
• Auto-locking screens after a set limit of idle time
• Enforcing use of password sharing apps (like 1Password)
• Giving employees locks to drawers or offices so papers aren’t visible

Probably the most important thing you can do is to communicate with employees. Beyond establishing clear policies, we encourage you to listen when employees ask for help. Make it easy to request and approve the tools employees need to do their job efficiently. By creating a stronger connection between IT and employees, you’ll be able to reduce the need for Shadow IT.