What is Shadow IT?

With the arrival of ever more powerful and accessible tools on the market, Shadow IT is becoming increasingly prevalent in the business landscape. This can have profound implications for security, governance and IT strategy within organizations. But what does Shadow IT actually refer to?

Shadow IT: what are we talking about?

Shadow IT refers to employees who use software, applications and technology services without the knowledge or approval of their IT department.

This practice is very common in companies. According to Frost & Sullivan, 80% of workers admitted to using applications or services without prior approval from the IT department.

The extent of Shadow IT is all the more alarming when we consider the spending figures linked to this practice. Gartner estimates that 40% of corporate IT spending is linked to Shadow IT.

Reasons for Shadow IT

Responsiveness and adaptability

One of the main factors driving the emergence of Shadow IT is the need for responsiveness and adaptability. In a world where technology is evolving at breakneck speed, employees are often looking to use the latest and most efficient tools to get the job done.

IT department approval processes can be perceived as slow or cumbersome, leading employees to seek alternatives on their own.

Employee autonomy and satisfaction

Shadow IT can increase autonomy and improve employee satisfaction. When they have the freedom to choose the software they use, they can feel more invested and satisfied in their work.

Take Nocode tools, for example. Their use is becoming increasingly widespread, as they enable employees to develop the digital solutions they need in their day-to-day work, without the need for technical assistance from developers.

We're faced with a dilemma here: how to identify these uses and better control them, while enabling all employees to contribute to the company's innovation and development.

Reconciling the two has become a real criterion for business teams and for attracting talent.

Easy access to alternative IT solutions

Finally, the emergence of Shadow IT is greatly facilitated by the accessibility of alternative IT solutions. With the rise of the cloud and the proliferation of mobile applications, it has become extremely easy for anyone to find and adopt new, simpler-to-use technological means.

Nocode solutions like Glide, for example, let you create a business application in just a few clicks.

Examples of Shadow IT practices

Devices

Devices are a primary use of Shadow IT in business. Here are a few examples of hardware that may represent security vulnerabilities:
‍

Personal laptops and smartphones: Employees often bring their own devices to work, a practice known as BYOD (Bring Your Own Device). 

These devices, which are not managed by the CIO, may contain unapproved applications and software. What's more, they may connect to unsecured networks, putting the company at risk.

External hard drives, SD cards and USB sticks: These storage devices can be used to transfer confidential information from one device to another, bypassing security features. They can also introduce malware into the company network if used on infected devices.

For example, Edward Snowden transferred confidential NSA information onto a micro SD card and managed to avoid the security gates by putting the SD card into a Rubik's Cube and passing it to the security officer to avoid passing the Rubik's Cube through the gate.

IoT (Internet of Things) devices: More and more connected objects are appearing, ranging from smart printers to security devices. These devices, often poorly secured, can be used as entry points by malicious actors to gain access to the establishment's network.

Use of third-party tools such as nocode and low-code tools

Online file-sharing platforms: An employee may share sensitive corporate files via an unsecured or unapproved online file-sharing platform, such as Dropbox, Google Drive or AirDrop. This practice exposes the company to the risk of data theft or loss.

Project management platforms: an employee could use apps like Slack, Trello or Notion to manage projects and collaborate with colleagues without the approval of the IT team.

Messaging services: Despite the firm's policies prohibiting the use of unapproved services, some people may continue to use services like Gmail or WhatsApp for their business activities.

Nocode and low-code tools: Highly accessible, these tools can be quickly adopted by business teams, without any time having been taken to make them aware of security issues, for example. The risk of data leakage via API keys left unencrypted can occur. This can happen with automation tools such as Zapier, Make or n8n, when a user wants to share a workflow with peers.

To mitigate these risks, it is important that companies establish clear policies and guidelines for the use of Nocode tools. IT departments need to be involved in evaluating and validating the applications created, as well as providing technical support and security advice.

We'll look at the solutions available in the final section.

Shadow IT risks

Data loss

Data inaccessibility: When employees use personal accounts to store documents or other company assets, this information can become inaccessible. For example, if an employee resigns or is fired, he or she may retain access to these assets stored in the cloud, while the company may lose access to them. This can have far-reaching consequences.
‍

Retention of assets by former employees: Similarly, if an employee who has used unapproved services leaves the company, he or she may continue to have access to sensitive information. Not only does the latter lose access to this information, it also risks it being shared or used inappropriately.
‍

Difficulties in locating and controlling data: When data is stored or processed outside company infrastructures, it can be difficult for the company to know exactly where it is and who has access to it. This can lead to compliance and security issues, as it is more difficult for the company to guarantee the protection of this information and prevent unauthorized access.
‍

Beyond the simple loss of confidential information, Shadow IT also opens the door to even more worrying problems, namely data theft.

According to a Forbes report, the use of unapproved IT technologies is responsible for 21% of all recorded cyberattacks.

Loss of control over usage

An employee's Shadow IT practice can pose problems when he or she is absent or leaves - especially if he or she is the only one to have worked on large-scale projects.

That's why it's so important to quickly establish a culture of business process documentation in every team (not just IT teams).

This limits dependence on any one employee, and makes it easier to circulate information.

Legal compliance issues

Each country and continent comes with its own set of regulations to protect certain industries and citizens (RGPD in Europe, for example, or HIPAA in the United States).

These can be complex to understand, and require in-house managers or external representatives whose aim is to raise awareness of the issues among employees so that good practices can be applied.

But it's difficult to control the practices of all an organization's employees and teams. As a result, individuals and departments frequently fail to meet these security standards, which can result in fines or legal action being taken against the organization.

For example, a fine of up to 20 million euros, or equivalent to 4% of a company's turnover, can be imposed for non-compliance with the rules governing data processing, or if the legal conditions for processing private information are not met.

Data modification

Without a clear governance system, you run the risk of compromising an entire technological system based on data and automation.

The more an organization grows, the more it will create dependencies between services. It is essential to have managers who are familiar with the architecture, so that they can set up monitoring tools to quickly identify unwanted modifications to systems.

For example, modifying a field in a database can break all the workflows connected to it. The consequences can be critical.

What's at stake?

Shadow IT highlights a crucial issue for companies: how to reconcile the need for rapid innovation on the part of business teams with respect for best practice on the part of the IT department.

At the heart of the field and operations, these business teams may be tempted to adopt new tools and technological resources not approved by the IT department, in order to be ever more productive and respond rapidly to their needs.

On the other hand, the IT division, as guarantor of information systems security, is responsible for ensuring that the technologies used are secure and comply with current regulations. The challenge is to strike the right balance between these two imperatives, enabling the company to remain competitive while preserving the security of its data.

What are the solutions?

Raising awareness and training employees in best practices

Training in IT security best practices is essential to prevent Shadow IT. It's a corporate culture that needs to be put in place as soon as possible, as the stakes become higher and higher as the organization grows and becomes more complex.

It's also very important for large groups to be supported on a regular basis - especially today, when the technological ecosystem is evolving extremely rapidly.

We are already working with major groups such as Franprix and L'Oréal to raise awareness of Nocode among their teams, so that its adoption can stimulate the group's growth while reconciling agility and security.

If you're also interested, we'd be delighted to hear from you.

Cooperate with the IT department

Nocode and Low-code approaches can also give back control to the IT department by offering employees turnkey solutions.

In this way, Business Developers can retain the agility afforded by Nocode approaches while keeping the IT Department in the loop, giving them the level of visibility they need to guard against any risks to the organization.

If you need to use a new tool or service, be sure to ask your IT department to check the tool's reliability and other parameters.

Finally, employees can prototype an application or website, and the IT department takes charge of creating it. 

Set up a clear governance system

As stated earlier in the article, identifying the people responsible for the operations inherent in each department is very important in order to maintain control and build an environment that will be able to scale over time.

These are good practices to adopt - and they can be time-consuming - but they will ensure the company's medium- and long-term growth.

Working with the right tools

Working with the right tools is often the key to meeting governance challenges. More and more Nocode solutions offer centralized governance options, particularly in their Enterprise plans. Airtable, for example, offers a governance solution.

Solutions well known to technical teams have also developed Nocode solutions, which are very popular with large groups. TakeAppsheet, Google's Nocode solution, for example, where the configuration of rights and accesses for the applications produced is the same as for other corporate data. Microsoft works in the same way with its Nocode PowerApps solution.

Conclusion

In conclusion, Shadow IT represents a major challenge for organizations - both large and small. While it may seem attractive to employees in terms of autonomy and flexibility, it entails significant risks in terms of data security, legal compliance and loss of control over corporate IT systems. While it may seem illusory to prevent the phenomenon, it is essential for companies to put in place proactive measures to raise awareness and train employees in good IT security practices, as well as fostering close collaboration between business teams and the IT department. By adopting a cooperative approach and encouraging transparency, companies can strike a balance between innovation and security, ensuring effective technology management within the organization.

‍