What Is Shadow IT and How Can You Take Control

Posted on Posted in Business, Cybersecurity, Insights

Shadow IT

Most large organisations have IT departments devoted to developing and supporting the corporate IT infrastructure and managing its operation. One frequently encountered problem is that of Shadow ICT where technology systems, software, and hardware are installed without the approval or knowledge of the ICT department or other relevant authorities. It can include anything from unauthorized hardware and software installations to the use of personal devices for work-related purposes.

Why Does it Happen?

Why Does it Happen

Over the years, IT systems and software unit prices have fallen, often taking them into the range of a departmental discretionary budget. Users can install incompatible equipment and software independently, causing new and unaddressed threats to ICT, especially IT Security threats.

To compound the problem, budget constraints mean ICT does not provide proactive support to users and can struggle to meet its commitments in respect of the systems and infrastructures that are already in place.

A review usually shows that a lack of communication between ICT and users is also a prime motivator.  Users feel that ICT doesn’t support them, so they go it alone.

The implications of ICT not having the resources to meet user requests in a timely and effective manner are grave:

  • Users and departments do not involve ICT in their strategic policy formulation or ICT development initiatives. As a result, they proceed on their own or with third-party support to develop their individual programmes supporting their operational imperatives. In the public sector, the introduction of new systems often follows a donor intervention.
  • IT Security is not complete, with the organisation vulnerable to internal and external threats.
  • Over time ICT systems can become fragmented and uncoordinated as Islands of Technology. This increases support costs.

What Risks does it Pose?


Shadow ICT can pose several risks to an organization, including ICT security vulnerabilities, compliance issues, and the potential for data loss or theft. It can also lead to inefficiencies and duplication of efforts within the organization, as different departments or individuals may be using different tools or systems that are not integrated or compatible with each other.

Incompatible systems make it difficult to coordinate authoritative data sources and implement universal access controls.  Having several unconnected sources of corporate information can give big problems if the information is not coordinated and each source is kept up to date. Uncoordinated access controls could potentially mean users have access to information and systems they should be able to reach.

There have been occasions where adding third-party equipment and software to a network has brought it down.

Sometimes the purchase includes support from a third party, support that might not be compatible with the organisation’s standards.

In short, at best, it can lead to inefficiencies and duplication of effort within the organization, as different departments or individuals may be using different tools or systems that are not integrated or compatible with each other. At worst, it can shut down the infrastructure.

How to Regain Control


To address the issue of shadow ICT, organizations can take a few steps, including improving communication and collaboration between ICT and other departments, establishing clear policies and guidelines around the use of technology, and providing employees with training and resources to ensure they have access to the tools they need to do their jobs effectively and securely.

The basic approach is two-fold, in essence,  a good cop, bad cop approach. Corporate ICT policies are enforced on one hand, and training and high levels of communication and support on the other.

Network Monitoring

The first step is to recognise Shadow IT installations by monitoring network traffic and identifying connected devices using unauthorised applications.

Improved IT support

Provide IT support to employees so that they can get the help they need when they encounter technical issues. This will discourage them from seeking out unapproved solutions on their own.

Encourage open communication

Encourage employees to communicate openly about their technology needs and frustrations. This will help you identify areas where the approved technology may be falling short and where improvements can be made.

Corporate IT Policy

The organisation sets out clear ICT policies in regard to the acquisition and use of ICT resources, in particular how they are sourced. ICT states clearly that unapproved devices attached to the corporate network are blocked and software is not supported by ICT.

Some proactive steps include:

IT Shop

To overcome the sourcing issue, some organisations have set up an “IT Shop” from where users and user departments buy their hardware and software. That will ensure that equipment meets a common standard, and software can be vetted for compatibility and data integration.

Training centres

ICT establish corporate training centres, perhaps with online training facilities. Users receive education and training to help them understand the risks associated with Shadow IT and how to use approved technology and software safely.

By taking these steps, organizations can reduce the risks associated with Shadow IT and create a more secure, compliant, and productive workplace.

Leave a Reply

Your email address will not be published. Required fields are marked *