Shadow IT: A Growing Threat You Can't Ignore

By: Absolute Team | 11/25/2015

Shadow IT, the use of technology systems and solutions without the explicit approval of the organization, can no longer be swept under the table and ignored. Nor should it be applauded, for while employees are showing initiative in embracing apps and technologies to improve their productivity, they do so by putting corporate data at risk. Shadow IT is happening right now in your organization, you just don’t know it. Your data is at risk, or could even be breached already, and you don’t know it. At least not yet.

BYOD: Shadow IT Hidden By Another Name

Shadow IT is not a new term, it’s just one that comes and goes when “control” is lost. The consumerization of IT, the rise in personal devices, was one example of Shadow IT, one that organizations attempted to control through BYOD policies. Talking about the “risks of BYOD” to an organization is akin to talking about the risks of Shadow IT. Traditionally, IT was able to build walls around the network in order to protect data. As we recently discussed, the proliferation of endpoint devices used by employees (BYOD or not) now means that there exists the potential for millions of access points that extend beyond your corporate network.

Most organizations still struggle with basic BYOD protections such as encryption, authentication and access controls, and that’s for devices they know about. We know there are so many more risks introduced by the use of cloud services, poor password practices, WiFi, unsecure back-ups, malware and so much more. We’ve talked about how as many as 90% of data security incidents can be tied back to people, and some of this comes down to Shadow IT. As revealed in our own study, employees are doing things such as modifying default settings or accessing personal email, but the issue is prevalent in so many small ways.

One estimate suggests that as much as 86% of cloud applications are unsanctioned and that 70 file sharing applications are in use in the organization, far surpassing what organizations expected (10-15). Gartner suggests that by the end of the decade, 90% of technology will be procured outside of IT. People move quickly to embrace technology they believe will help them gain an advantage.

Much of the risk introduced by Shadow IT is inextricably linked to the endpoint. A Ponemon report, Data Breach: The Cloud Multiplier Effect, found that there was a symbiotic relationship between cloud and mobile; a 1% growth in the cloud (which is prompted by a desire to share data across many mobile devices) increases the probability of a costly data breach by 3%.

Putting the Spotlight on Shadow IT

Selfishness, a lack of tools, a lack of awareness of the rules or lack of enforcement may explain why Shadow IT exists, but it doesn’t erase it from your organization. We need to assume that Shadow IT has a huge footprint in your organization already, and it’s growing rapidly, so the key is turning the spotlight on the Shadow, allowing you to see and therefore protect more of this data moving around.

Shadow IT is not going away. Organizations that find a way to develop a framework that understands how employees are using data will do a better job of protecting that data, no matter where it is or whether it lives on the network, in the cloud or on the endpoint. Visibility is your key to reducing the risk from Shadow IT, which doesn’t come from clamping down with more walls that prevent the movement of data. Instead, embrace BYOD by implementing security awareness training for employees (to increase the likelihood of smarter behaviors, or at least reporting of incidents), enforceable and well-communicated policies, and necessary support technologies to gain visibility in all the places where data lives.

We share some of our thoughts on how employees are moving around data in our whitepaper, ‘The Enemy Within – Insiders are still the weakest link in your data security chain.’

A persistent endpoint security solution such as Absolute DDS goes beyond visibility with automated alerts, based on security policies, and response tools to remotely freeze or disable devices, delete or copy data, and prove compliance in an audit report. Learn more about how Absolute can help you bring your data out of the shadows at

Financial Services