What is Shadow IT and why is it so risky?

Shadow IT and its effects on business

shadow IT is a new term for the practice of using external resources and/or software to improve the use of internal resources and/or software without paying for it or obtaining permission, sometimes even inside the company. According to Wikipedia, shadow IT is "the use of non-standard computer services and the use of software in order to improve the efficiency of internal systems or processes without the involvement of the companies that own those services". While the term is not new, the definition of this practice has grown significantly since early 2005, especially in the public sector. The term has also expanded to include other scenarios, such as the use of external resources or software to improve the quality of software produced by internal employees at a company when no improvements were made, and the use of tools or applications to obtain data from a company's network without paying for it. The term has also expanded to include the use of the same tools or applications to perform different tasks, such as file transfer, email, file back ups, etc.

By the year 2000, only a small percentage of employees at small companies (10% of workers) used any form of shadow IT. By the year 2008, however, 20% of workers used shadow IT. The reasons for this range from "employees preferring to use more expensive software that they do not have access to" to "employees preferring to use less expensive software because they do not know how to use more expensive software.

A large percentage of shadow IT is done for the purpose of increasing productivity. Other motivations include the desire to increase the quality of the software used, the desire to gain information about specific company processes, to avoid cost, to lower project failure rates, or to avoid using proprietary software or hardware found in corporate networks.

Shadow IT can give rise to a plethora of potential problems, including:

  • Loss of revenue for private companies who may not need the added resources.

  • Loss of revenue for the government who may not be willing to let employees share the information they find with companies that might be doing business with them.

  • Loss of market share for organizations who may see their competitors using these resources to gain an edge over them.

  • Loss of employee productivity for employees who are not involved in building the software.

  • Loss of customer loyalty caused by employees not being able to find the answers to questions of interest to them.

  • Vulnerability to security risks which arise because of the sharing of information without the owner's knowledge.

  • A lack of control over how the resource is used.

The use of non-standard resources or software may lead to the introduction of bugs or viruses into the product or operating system of the company that uses the application. If the user is unaware of the consequences of using the software, the problem may go undetected for a very long time.

As well, these types of applications may be used purely for selfish purposes, such as personal information gathering. This could be through hacking or other forms of illegal activity, such as the downloading of illegal software or pornographic images from the Internet.

The use of these resources also raises issues related to the protection of the privacy of users and the privacy of the company's network.