What is Shadow IT?
Shadow IT explained: Understanding Risks, Leveraging Opportunities
Shadow IT explained: Understanding Risks, Leveraging Opportunities
Cyber threats in companies do not always have external causes – often, the risk lies within the company itself, as in the case of shadow IT.
This phenomenon is becoming increasingly widespread due to advancing digitalization and the growing use of online services among the general population. According experts at Gartner, 75% of employees will procure, modify, or create technology tools without the knowledge of the IT team by 2027. For comparison, this figure was 41% in 2022 (source: gartner.com).
Shadow IT refers to the procurement and use of hardware and software in companies and organizations by employees without the explicit approval of the IT department.
The use of unauthorized and often insecure hardware and software poses a challenge to cybersecurity in companies and organizations. 80% of security managers report dealing with at least one security-related incident per year due to shadow IT (source: enteksystems.de).
The strong growth of cloud and software-as-a-service (SaaS) solutions, as well as the trend toward remote work or working from home, promote location-independent collaboration. At the same time, however, this development has also led to a significant increase in shadow IT, aided by the high acceptance of SaaS tools. Cloud services and SaaS offerings are often easily accessible, simple to use, and inexpensive.
Examples of shadow IT:
Mobile working is becoming increasingly important, which is why communication solutions are also becoming more and more important. A common scenario for shadow IT is therefore professional communication with colleagues and customers via unauthorized video conferencing tools or private messenger services such as WhatsApp, Signal, or Telegram.
Employees like using their favorite chat apps for quick and easy information exchange in their everyday work, especially when working remotely. They are accostumed to using them in their personal lives, and there is often no viable corporate alternative available. The user-friendliness and range of features of messengers are decisive factors, and complicated solutions are used only reluctantly. According to a 2024 Threema study, 50% of the companies surveyed considered it likely that employees would use private chat apps for internal communication in addition to the communication tools provided by the company. 43% assumed that employees exchange sensitive information about customers, partners, and suppliers via chat apps that do not comply with the GDPR.
When it comes to teamwork and collaboration, cloud and file-sharing services such as Dropbox or Google Drive are often chosen for sharing and jointly editing business data or documents. SaaS solutions such as Google Docs or apps for workflow optimization are also used. According to a 2024 Gartner study, over 40% of cloud services used in companies are now outside the control of IT (source: enteksystems.de).
The use of productivity apps not approved by IT primarily affects applications for collaborative project work such as Slack, Trello, and Asana, where employees often register independently in order to have a quick solution at hand. The benefit here is that it allows users to keep track of the project schedule and progress. However, there are also solutions in the area of social media management that are used as shadow IT.
The term shadow AI describes the unauthorized use of artificial intelligence applications. The use of AI is already widespread, and AI tools such as chatbots or image generators (e.g., ChatGPT, Gemini, Midjourney, or DALL-E) are now increasingly being used as shadow IT, i.e., without formal approval or supervision by the IT department.
Smartphones are always with us and are often quicker to hand than company laptops in everyday working life. Although private smartphones are extremely practical, they are beyond the control of the company and its security strategies – and thus become part of shadow IT. Especially when working from home or on the move, the boundaries between personal and professional life become blurred. Ad-hoc solutions are then quickly resorted to.
Other examples of hardware that is typically used in the form of shadow IT include:
PCs
Private laptops
Storage devices such as USB sticks or external hard drives
Tablets
Network components such as routers or switches
Printers and scanners
The IT policies of some companies allow for Bring Your Own Device (BYOD). This strategy permits employees to use their own laptops or smartphones for work. However, if this happens uncontrolled and without the involvement of the IT department, shadow IT and the associated risks arise here too.
The origin of this phenomenon is by no means malicious; on the contrary, employees are increasingly using private or unauthorized applications or services for the simple and practical reason that these solutions make their daily work easier and allow them to be more productive and efficient. There is often a lack of suitable, official solutions because, for example, they do not address employee usage behavior, are too complicated, poorly integrated, too slow, too inefficient, or simply unusable.
Employees often seek a quick solution and choose a ready-to-use app or cloud service to bypass lengthy IT approval processes and have a solution at their fingertips immediately. Paradoxically, IT itself contributes to the spread of shadow IT: according to studies, 38% of employees resort to unauthorized tools because IT response times are too slow. Unauthorized services are increasingly being used, especially when working from home.
An overview of the main causes of shadow IT:
Easy availability and rapid growth of cloud services or SaaS solutions that all employees can access quickly and easily
Unclear responsibilities for IT support in specialist departments
Poor coordination, too much bureaucracy, or inadequate regulations in the cooperation between the specialist departments and the responsible IT department
Official solutions do not correspond to the usage habits of employees
Lack of risk awareness of the potential consequences of shadow IT and lack of employee training
Budget constraints
Non-existent guidelines
As understandable as the desire for quick and pragmatic solutions may be, unauthorized software and hardware are often not suitable for adequately securing confidential information and data. In addition, organizations and companies quickly lose track and control – especially when the number of unauthorized applications reaches a level that leads to uncontrolled growth in SaaS and cloud usage. This occurs when the number of SaaS tools reaches a level that makes effective management impossible. All of this entails security risks and can have serious consequences for the company or organization. According to a study, nearly half of all cyberattacks can be traced back to shadow IT, and the average cost of remedying them is more than $4.2 million, illustrating the devastating financial consequences of shadow IT for companies (source: https://www.zluri.com/blog/shadow-it-statistics-key-facts-to-learn-in-2024).
Security risks and inadequate data security
Increased security risk: Unauthorized or unsecured tools are usually not equipped with the necessary security measures to protect against cyberattacks, which facilitates unauthorized access to sensitive data. Unauthorized applications often contain vulnerabilities or misconfigurations (especially in the cloud), providing gateways for data leaks, malware, and cyberattacks.
Invisible attacks: Without the knowledge or oversight of IT, many incidents go undetected, which can increase the extent of the damage and facilitate repeated attacks using the same method.
Lack of maintenance and control: Unpatched software – i.e., software for which no bugs have been fixed or security gaps closed – facilitates cyberattacks and creates vulnerabilities. In the worst case, control over IT resources is completely lost.
Data loss: Since shadow IT is not integrated into the backup system and lifecycle processes of the respective organization, it becomes difficult or impossible to recover data that has been lost via shadow IT systems.
Blind spot in risk assessment: Many companies do not take shadow IT into account, thereby increasing their vulnerability to attack and risking serious damage. IT needs transparency about which applications are being used in order to set up security strategies that are as comprehensive as possible.
Data breaches and compliance violations:
Strict data protection and compliance requirements protect customers and business partners. If sensitive data is processed using unauthorized software that is also not compliant with data protection regulations, fines and serious damage to reputation may result.
With unauthorized providers, it is unclear how data is stored or transmitted. This increases the risk of data breaches, unauthorized access, and data leakage.
Cloud storage in third countries without an adequate level of protection is likely to result in violations of the GDPR and industry-specific rules.
Inefficient collaboration:
Shadow IT applications can lead to fragmented and uncoordinated workflows, data and knowledge silos, and inconsistent data. When data is distributed across various shadow IT components and there is no central governance, teams may access unofficial, invalid, outdated, or simply different information. If teams use different tools (e.g., Google Drive and Dropbox), this also creates extra work due to multiple uploads and downloads, versioning issues, and media breaks. As a result, employee productivity suffers, which can have a negative long-term impact on the entire organization.
Financial losses:
Shadow IT can sometimes result in significant financial losses. If the use of shadow IT leads to a cyberattack, the time and resources required for data recovery and damage repair can be enormous. In addition, there may be costs associated with legal proceedings and fines. The economic damage associated with loss of trust, industrial espionage, and data manipulation cannot be precisely quantified, but it can cause fundamental damage to companies and organizations.
There are also additional costs for extra systems that are used alongside the official IT resources.
Compatibility problems and lack of transparency:
The use of shadow IT can also lead to compatibility issues with the organization’s IT systems and infrastructure. SaaS services, for example, can affect bandwidth. The lack of integration, in turn, leads to gaps in security controls, making it difficult to respond quickly to security incidents and fix vulnerabilities.
It also creates a confusing IT landscape: Officially provided solutions remain unused or are compromised by shadow IT. Future-proof and efficient planning of IT architecture and capacities can also suffer. In addition, shadow IT can make migrations or updates significantly more difficult to implement.
Reputational damage:
The disclosure of sensitive data and data breaches also damages the trust of customers, partners, investors, and other important stakeholders. This can have existential consequences for companies and organizations. Restoring trust is usually very costly and time-consuming.
Apart from risks in the area of data security and data protection, shadow AI adds another level of risk: the use of unauthorized AI models can significantly impair the quality of results and decisions. Risks such as distorted data bases or model drift can lead to erroneous strategic decisions or weaken and impair an organization’s quality standards.
The widespread use of private chat apps, such as WhatsApp or Telegram, in a professional context exemplifies the considerable risks posed to companies by shadow IT:
Inadequate Protection of Company and Customer Data
Messaging apps designed for personal use are usually not adequately protected for exchanging sensitive data. Often, even moderate security requirements are not met, meaning that internal company data can easily leak to the outside world. In addition, these messengers are not typically GDPR-compliant. Many chat apps are also subject to US laws that conflict with the GDPR because services based in the US must grant the US authorities access to customer data. Therefore, using chat services from the US poses a data protection risk.
When employees use WhatsApp to communicate with customers or colleagues, this user data is stored on external servers, and metadata is shared with the Meta Group for marketing purposes.
Communication solutions such as Threema Work are a secure alternative. Here, sensitive data is protected without compromise by zero-knowledge architecture, metadata restriction, and end-to-end encryption, among other measures.
Lack of Administrability
Consumer messengers usually do not meet the requirements of companies in terms of user administration. For example, chat apps used for personal communication cannot be preconfigured for employees, nor can functional restrictions be imposed. They do not allow contact verification (through verification levels) or restriction to internal contacts, as offered by Threema Work, which can prevent incidents such as “Signalgate.”
Furthermore, when employees leave the company or devices are lost, consumer messengers do not normally offer the option of revoking access to the app and the company data it contains, as Threema OnPrem does with its DualLock feature. In this way, business content circulates unhindered in the private sphere of former employees or even falls into the wrong hands. In terms of security and data protection, these solutions are therefore completely unsuitable for business purposes.
In addition to the numerous risks and challenges mentioned, the phenomenon of shadow IT can also have positive effects.
A key aspect is increased productivity: When employees find that official systems do not meet their requirements, they often seek out suitable applications themselves. This allows them to use tools that are better suited to their activities, often enabling them to work faster and more efficiently.
Added to this is employee satisfaction: Cumbersome, lengthy IT approvals slow down engagement. If, on the other hand, employees are given the freedom to choose suitable solutions themselves, satisfaction and motivation increase – which has a positive effect on the quality of their work.
Shadow IT can also solve previously unresolved problems and reveal unknown potential for improvement. Once successfully tested in practice, such needs-oriented, flexible solutions can be transferred to the company’s IT systems as standard. This optimizes processes and strengthens the momentum for innovation.
Overall, a pragmatic approach to new tools helps companies remain competitive, find better solutions, and respond more quickly to changes in the market or technological developments.
It is unlikely that shadow IT can be completely eliminated; instead, the focus must be on transparency and risk reduction. The first step is therefore to make shadow IT visible in order to ultimately steer it into official channels and transform it into usable solutions. The goal is to obtain a complete overview of all SaaS applications used in the company in order to see which processes and areas require action, because ultimately shadow IT is an indication of missing or inadequate alternatives. To this end, companies should conduct a comprehensive IT inventory and network analysis.
Effective monitoring of the IT landscape with suitable analysis programs creates transparency for IT, makes unofficial systems visible, and slows down system proliferation. Security tools such as CASB (Cloud Access Security Broker) solutions can detect shadow IT activities and prevent unauthorized software solutions from remaining undetected. Shadow IT should always be included in ongoing risk assessments.
In addition, regular IT audits and specialized SaaS management tools help to uncover hidden IT assets and restore clarity. The larger the company, the more important automated discovery methods become.
SaaS management tools can be divided into two categories:
SaaS Management Platforms (SMP)
SMPs help curb the uncontrolled proliferation of software, use licenses efficiently, enforce access policies, and ensure the secure use of cloud software in all areas.
SMPs and CASB solutions can also be combined: SMPs can use CASB data to obtain a more accurate picture of access, usage, and risks associated with SaaS applications.
SaaS Security Posture Management (SSPM) Solutions
SSPM tools can identify security issues such as misconfigurations, user permission problems, and compliance risks in SaaS applications. They are more security-focused, while SMPs provide broader management and visibility capabilities.
In addition to technical controls, it is advisable to consult all departments for this inventory overview and gather information about which products are used and what problems they are intended to solve. Anonymous surveys can help lower the inhibition threshold for honest answers, thereby supporting the usability and quality of the statements.
Targeted dialogue between IT and specialist departments also creates a better understanding of where the actual need lies or why alternative solutions are being procured outside of the official IT solutions. This allows processes to be improved and, in the best-case scenario, problematic applications to be replaced with secure alternatives that correspond to the usage habits of employees.
At first glance, banning messaging services in the corporate environment seems obvious given that messengers are often used in the form of shadow IT. However, this approach has two major drawbacks. First, it would prevent the quick and uncomplicated exchange of information via instant messaging, slowing down productive and efficient communication processes. Second, it would disregard the established communication habits of employees.
It therefore makes more sense to provide a dedicated business messenger such as Threema Work within the company, which both corresponds to the usual usage behavior of employees and ensures the necessary control over sensitive data and a high level of security. Threema Work, which can also be used as a desktop version, has all the essential features that employees expect from a modern instant messenger, as well as some useful additional features for daily collaboration and everyday work, such as an off-hour policy, polls, and screen sharing on desktop. In addition, comprehensive management options are available with central configuration of all users and adaptation to company guidelines. This ensures employee satisfaction and significantly minimizes the risk of cyberattacks, reputational damage, and high fines due to GDPR violations.
There are also a number of preventive measures that can be taken to curb the emergence of shadow IT. It is important to take a proactive approach that focuses on control, education, good cooperation with the IT department, and appropriate solutions, rather than simply issuing bans.
Since the main cause of shadow IT is the lack of suitable solutions, the focus should be on understanding employee needs and offering attractive, tested, and user-friendly alternatives to meet those needs. To achieve this, open communication and transparent, uncomplicated, and efficient processes between the specialist departments and the responsible IT managers are essential. Employees should also be actively encouraged to openly express their wishes and requirements to the IT department as soon as the existing products no longer meet their needs.
Mobile Device Management (MDM) technology supports the administration and security of devices used in a business environment. This means that employees’ private devices can also be registered, for example in the case of a Bring Your Own Device (BYOD) policy, and the necessary apps and tools for monitoring device usage can be made available. Threema Work can also be distributed with any MDM system that supports the Android Enterprise (Android) and Managed App Configuration (iOS) standards.
Many employees do not perceive the tools they use as a potential danger and are unaware of the risks associated with shadow IT. That is why training and awareness are important. Employees should be made aware of the dangers of shadow IT and how they themselves can contribute to protecting company data by means of practical examples. For example, those who know that a “quick” file upload to an unknown web service can, in the worst case, result in data loss or fines will act much more cautiously.
A key means of preventing shadow IT is to have clear rules on IT use and procurement. However, many companies still do not have appropriate, standardized guidelines.
A clear IT and shadow IT policy should specify
which applications and cloud services may be used,
how new applications (including AI services such as ChatGPT) are requested and approved,
which data may not be fed into external services,
and what the consequences of violations are.
These policies are defined by IT, regularly reviewed and adapted to new conditions, and communicated transparently. Simplified, streamlined approval processes also help prevent the use of unauthorized solutions.
It is crucial to clearly position the IT department as a service partner. Dedicated teams can be involved in the selection of new software solutions at an early stage and are given space for their own suggestions – thus turning shadow IT into a source of innovation rather than a risk. Central portals with approved software solutions, plug-ins, tutorials, and support access also offer employees attractive, officially supported alternatives and create transparency.
Shadow IT is no longer a marginal phenomenon, but rather a daily reality in many organizations. While it entails considerable risks, it also presents real opportunities. Shadow IT is primarily triggered by employees’ need for use case–specific, readily available solutions that make their everyday work easier. When official tools are too complicated, inflexible, or poorly integrated, employees look for their own solutions, often using unauthorized SaaS services, private messengers, or AI applications. While this increases productivity and satisfaction in the short term, it also creates security gaps, compliance risks, data proliferation, and additional costs.
Instead of simply banning shadow IT and fighting it at all costs, companies should take a balanced approach that creates transparency, reduces risks, and harnesses the potential for innovation. Technical measures, such as monitoring and security solutions, help make the tool landscape visible and limit security risks. However, cultural and organizational measures are just as important: open communication between departments and IT, simple and fast approval processes, consideration of user needs, and regular training and awareness-raising for employees. Clear guidelines provide the necessary framework. When these rules are understood and supported by an IT department that sees itself as a service partner, the invisible danger can be managed.
Transparency, secure alternatives (e.g., a data protection–compliant business messenger), and employee involvement can transform shadow IT from a silent threat into a driving force for innovation, efficiency, and competitiveness.
