Skip to main content
Security Scorecard

What is Shadow IT? And How to Manage It

Posted on August 23rd, 2021

Everything connected to your network poses a security risk. Every application on every device poses a threat to that device which then increases your security risk profile. Ultimately, organizations need visibility into all users, applications, and devices on their networks. Whether arising from employees using personal devices or downloading applications to corporate devices, shadow IT is becoming a bigger problem for organizations. To enhance your security posture, you need to understand what shadow IT is, the risks it creates, and how to mitigate those risks.

What is shadow IT?

Shadow IT is broadly defined as any information technology systems, devices, applications, and services outside traditional IT department procurement processes and approval. As more employees use personal devices and organizations adopt cloud-based applications, shadow IT risk increases.

Examples of shadow IT include:

  • Productivity applications: Trello, Asana
  • Collaboration or messaging applications: Microsoft Teams, Slack, or Google Chat
  • Physical devices: smartphones, tablets, Internet of Things (IoT) devices
  • Cloud storage or file-sharing services: Google Drive, Dropbox, Box, and OneDrive
  • Video conferencing applications: Zoom, Skype, WebEx, and GoToMeeting
  • Calendar applications: Fantastical, Woven,
  • Appointment booking and scheduling applications: Calendly, ScheduleOnce, Bookafy

While “bring your own device” (BYOD) policies offer some level of protection, remote work changes a company’s ability to control the devices employees use to do their jobs. Additionally, even for organizations whose employees use corporate devices only, managing the applications that they install on devices or access on the internet becomes increasingly difficult.

Why do employees use shadow IT?

The move to remote work increased employee need for video conferencing, collaboration, messaging, and file-sharing solutions. Employees may use shadow IT as a way to streamline work processes or work with external stakeholders.

For example, a member of the sales team is meeting with a prospect. The prospect prefers Zoom, even though your organization uses WebEx. The sales team member may download Zoom to connect with the prospect.

What risk does shadow IT cause?

As part of your security and compliance programs, you need to incorporate shadow IT risks into your risk assessment process. By understanding and mitigating these risks, organizations can enhance their overall security.

Lack of visibility

Unknown devices connecting to your network and employees using business emails for web-based applications increase your security risk. You can’t mitigate risks if you have no visibility into what those risks are.

Network security

Every device connecting to your network, especially IoT devices, means another access point that threat actors can exploit. For example, research published in 2019 found more than 120,000 Internet-scale exploited IoT devices and inferred 140 large-scale IoT-centric probing campaigns. In other words, threat actors scan networks looking for IoT devices that can act as a gateway or give insight into network security.

User access

Every account that an employee creates using their business email address increases your organization’s security exposure. For example, suppose an employee uses their business email as the login credentials for your enterprise resource planning (ERP) solution and a messaging application. In that case, they might be using the same password for both. A threat actor who leverages a vulnerability in the messaging application can now try to use those same credentials to gain access to the ERP platform.

Data loss or leakage

Shadow IT increases the likelihood that your data will end up outside of your control. For example, an employee who has access to a shared drive might download a document to their device. Then, they might re-upload it to their personal cloud storage service. Every time that data moves, it “leaks” out of your systems. If the device is stolen or the personal shared drive experiences a data breach, your organization’s data is compromised.


From both the privacy and security perspectives, shadow IT increases compliance risks. First, when the organization loses control over the data, it fails to govern security appropriately. Just like you can’t mitigate the risks you don’t know you have, you also can’t prove governance over your security program when you can’t locate the new attack vectors.

Second, if you can’t prove governance over who accesses data, you can’t prove that you keep data private. For example, if you need to meet General Data Protection Regulation (GDPR) privacy requirements, you need to know where a data subject’s data resides to delete it upon request. If your employees store data on an application outside of your control or share it through a messaging application, you might not be able to comply with the data subject’s request fully.

How to reduce shadow IT risk

Although managing shadow IT risk sounds overwhelming, you can take several steps to mitigate risk while enhancing your compliance posture.

Scan your environment

The first step to reducing shadow IT is to scan your environment and network regularly. Detecting and identifying new devices that connect to your network gives you additional visibility into network security risks.

Enforce identity and access controls

To ensure that only the right users and devices connect to your network, you need to enforce your identity and access policies. This process should include multi-factor authentication and requiring device authentication when they connect to the network.

Set “deny all” network access controls

To reduce the risk unknown applications create, start by creating “deny all” network access controls. Then, you can go back and allow the applications you trust. This will limit employees’ ability to use untrusted applications when connected to your corporate network.

Train employees to be cyber aware

Effective cyber awareness training should incorporate shadow IT risks. While most employee awareness programs focus on phishing and social engineering, many fail to educate end-users about shadow IT risks.

Create an audit trail

As part of your compliance process, you should ensure that you document all activities around managing shadow IT. This includes documentation showing:

  • Network scanning
  • Vulnerability monitoring
  • Access certifications
  • Employee scores on training modules

SecurityScorecard: Continuous monitoring and risk mitigation

SecurityScorecard’s security ratings platform provides easy-to-read A-F ratings that provide quick visibility into your security postures. SecurityScorecard Sentinel, our scanning engine, identifies and detects all devices, including IoT devices, across your network. With the ability to detect these traditionally hard-to-manage IT risks, you can enhance your security and compliance posture.

SecurityScorecard’s security ratings platform provides alerts that help IT and security teams prioritize remediation activities to mature your security program. Our alerts also include actionable remediation steps so that your teams can more rapidly mitigate risk.

Return to Blog
Join us in making the world a safer place.