News & Analysis

Rethinking Shadow IT in Times of COVID-19

ith the massive shift to remote work as a result of the COVID-19 pandemic, shadow IT is becoming a more critical security issue around the world. That’s because many employees are using their own hardware and even downloading free applications without first taking precautions with the help of the security department. With people taking matters into their own hands, there’s a good reason for CIOs and CISOs to start paying attention to shadow IT. 

Shadow IT – no longer avoidable

While shadow IT existed in the past with the BYOD (being your own device) boom in the 2010s and often haunted IT teams, recent figures show a massive spike in the usage of employee-owned devices and applications. Research from Everest Group estimates that shadow IT comprises 50% or more of IT spending in large enterprises. 

Experts see there’s no stopping shadow IT in the age of data democratization where every single person in your organization, from the production manager to marketing team and social media department can dig into your data. As Kasey Panetta, Senior Content Marketing Manager at Gartner believes, this is inevitable as digital natives are your workforce now. This tech-savvy workforce is less likely to wait for IT to create new solution or get things approved and more likely to take matters into their own hands.

On the hind side, she said, “Misuse or mismanagement by employees actually contributes to these risks. Inadvertent deletion of data, loss of login credentials, zombie accounts set up by former team members – can all heighten data exposure dangers and lead to unnecessary spending.”

It is capable of causing serious security risks to organization through data leaks and subsequently potential compliance violations for which ultimately the CIOs are held accountable, believes Naveen Gulati, CIO at Girnar Soft, who believes there are inherent dangers in not involving the IT department in the purchasing decisions, as non-IT departments often end up making mistakes around integration, putting security into jeopardize.

The new data regulation regimes including the European Union’s General Data Protection Regulation (GDPR) coming into force in recent years, the uncontrolled IT shadow poses an even greater risk. For example, sharing confidential information with a third-party, where the company has no consent to process their information, is a clear violation of the GDPR’s rules. 

“Therefore, companies must now, more than ever, deal seriously with shadow IT or risk the consequences of being financially penalized under the new regulation as it may end up impeding the organization’s long-term digital transformation projects,” Gulati cautioned.

Mitigate risks associated with Shadow IT

Clear communication between business and IT is often highlighted by analysts as imperative for successfully launching innovative technology solutions and user experiences. Here are some more guidelines to mitigate risks associated with Shadow IT

  1. Understand why Shadow IT happens in the first place. Employees turn to unsanctioned software and online tools in order to work more efficiently. They aren’t trying to cause problems, but simply accomplish the tasks at hand. Communicate with users and make sure they are equipped with all the tools they require so they don’t need to turn to Shadow IT applications. 
  2. Monitor the network to identify problems. One of the main challenges of Shadow IT is simply finding out where the problems are. Through continuous monitoring of the network, IT can gain insight into which employees are using unknown and unapproved devices, services, and applications.
    “After the initial audit, we recommend performing routine vulnerability monitoring and fraud analysis to quickly address any new risks that arise,” Rajiv Gupta, Chief Technologist at Air One Aviation mentioned.
  3. Block high-risk applications. Identify which applications pose the highest risk, and immediately prevent access and block them from the network. Once you’ve blacklisted an application, be sure to offer a low-risk alternative. This will ensure that your employees aren’t tempted to circumvent security policies in order to work productively. For example, if the majority of your staff uses Google Drive to store and manage content, create a company content repository that’s lower risk, but just as easy-to-use.
  4. Set and enforce usage policies. Develop a set of clear and consistent company-wide policies around approved mobile and cloud service usage, as well as white listed and blacklisted applications. Configure device and application rules to enforce these policies and train employees on enterprise-approved applications.
    Promoting standardization is often seen as a vital step in taking control of your IT. Standardized solutions that are company-based, often solves the problem of shadow IT.
    “To ensure synergy across tools and systems, companies must have clearly defined IT security policies that need constant reviewing and monitoring by the IT department,” said Gupta.
  5. Educate your staff on security. Training employees to understand and recognize the risks associated with sensitive data and why Shadow IT puts the enterprise in a vulnerable position is critical. 

“With most GDPR fines expected to come as a result of poor data protection and breaches of confidentiality, business managers should be provided with training and education to understand data privacy and its implications to their organization,” Gulati said.

In conclusion, it’s clear that Shadow IT here to stay and is likely to only accelerate as cloud service and mobile application usage continue to proliferate in the post-COVID world. By following some of the best practices, your organization can minimize risk and help ensure data integrity while still allowing users to be at their productive best.

Leave a Response

Sohini Bagchi
Sohini Bagchi is Editor at CXOToday, a published author and a storyteller. She can be reached at