Shadow IT – the risks, the costs and how to control them

by |

Shadow IT
© jrwasserman /

Over the last decade, IT consumerization has caused a rapid rise in people’s expectations about their computing experience at work. This is especially so among those who have grown up in the Internet era. They represent an increasingly significant proportion of the workforce, and take fast data connections and powerful apps for granted. They expect office IT to be as easy, fast and convenient as the technology they use at home. If it isn’t, there are multiple ways in which they can meet their requirements – independently of the IT department.

As a result, so-called ‘Shadow IT’ environments have evolved within many organizations. These environments are largely invisible to the IT department, and cannot therefore be controlled or protected. The consequences of this lack of control can be serious. They range from security breaches, to escalating costs, reduced productivity and compliance failures.

This is why it’s becoming increasingly clear to many companies that ignoring this issue is no longer an option. So, it’s time to ask (and answer) the big questions surrounding this tricky topic.

What is Shadow IT and why is it a problem?

Shadow IT can be defined as any unapproved IT hardware, software, solution or system in use within a corporate network. Shadow IT has usually not been sanctioned by a corporate IT decision-maker. It is also therefore invisible to the IT department, and outside of their control.

IT consumerization, increased employee mobility, homeworking, and diverse collaboration models demand that corporate IT must be more flexible than ever. Unfortunately, this is at odds with the priorities and capabilities of many corporate IT departments. They want to retain tight control over user behavior in the face of ever more numerous and sophisticated security threats. But many are also operating within the context of shrinking budgets and staff shortages. All these factors combine to make the development of Shadow IT more likely now and in the future.

What are the risks of Shadow IT?

They can be broadly categorized as follows:

Security breaches: Fortunately, few employees set out to deliberately work in an unsafe way or put corporate assets at risk. But doing so unintentionally is common. Using unauthorized software that contains vulnerabilities, malicious code, or uses insecure connections, happens a lot. But using approved IT resources in an insecure way (e.g. over public Wi-Fi), is even more widespread.

Increased costs: Higher costs can manifest themselves in a number of ways. See below for more details.

Reduced efficiency/productivity: Shadow IT puts unmeasurable additional pressure on network and computing resources. This can slow down processes and cause system failures or other outages.

Compliance failures: It’s impossible to comply with licensing policies without transparency and control over all the IT assets used within your organization.

What are the hidden costs of Shadow IT?

Increased (and often hidden) costs are the direct consequence of the risks described above. They include:

Damage caused by security breaches: This is perhaps the scariest and least predictable of all Shadow IT costs. It’s very difficult to put a price on data loss, intellectual property theft, or reputational damage. But it’s safe to say that the potential cost is almost limitless.

Unnecessary expenditure: Unlike IT professionals, business people are generally not aware of all the potential consequences of buying a particular solution. This makes it easy for them to spend money on solutions that aren’t appropriate or cost-effective in the long term. Budgets can be wasted, and investments may have to be duplicated as a result. Not only that, IT departments need to spend money on solutions and resources designed to uncover and eliminate Shadow IT. With the right IT service management and compliance solutions in place, this expenditure would also be unnecessary.

License audit failures: Using IT assets without the knowledge of the IT department makes it impossible to fulfill vendor licensing requirements. Moreover, the average employee has little or no awareness about the consequences of contravening them. The cost of failing software audits, which are becoming increasingly common, can run into millions of euros.

Inefficient use of licensing: Shadow IT often means multiple groups of users are using the same application or service independently of one another. As a result, opportunities for bulk licensing discounts are almost certainly being missed, and budgets are being used inefficiently.

Lost productivity: Shadow IT often arises because users think they can be more productive with their favorite (if unauthorized) app. The reality is often the opposite, because the associated network traffic has not been accounted for by the IT department that also cannot help in case of incidents or technical troubles.

How should you address the Shadow IT problem?

Many corporate IT departments react instinctively by trying to shut it down and make users adhere to existing policies. This ‘head in the sand’ approach is doomed to failure. In fact, it is likely to make the problem worse. A full exploration of a better way forward is beyond the scope of this article. However, an optimized approach includes the following key elements:

  1. Ask users why what they are doing and why: Improving your understanding of what users need is fundamental to eliminating the source of the Shadow IT problem.
  2. Educate users on why Shadow IT is bad for business: Explaining the risks and costs will, in most cases, get users on IT’s side of the argument. But only if the IT department then provides a viable and significantly better alternative.
  3. Enable Business Units to purchase and use IT securely and transparently: This is best achieved with a centralized IT service catalog and service management infrastructure, with built in compliance fulfillment functionality.
  4. Apply policies flexibly, based on the risks associated with specific data sets and services: A coordinated approach, which balances security and functionality across onsite and cloud-based environments, is essential.


Uncovering and eventually eliminating Shadow IT will, for most organizations, be a long and painstaking process. But it is one they must embrace and execute as thoroughly as possible. Only then can the risks and costs outlined above be eliminated permanently. Organizations of all kinds invest a lot of time, effort and money to succeed in their chosen field. That success should never be jeopardized by the avoidably inefficient and inflexible implementation and management of corporate IT.

Leave a Reply

Your email address will not be published.