How to Manage the Risks and Costs of Shadow IT

Do your employees use personal drives to store or share corporate data? Do they forward corporate files to their personal email? Perhaps they’ve created repositories for document gathering and sharing for a joint project with a vendor…or installed a handy little app or extension they found online… If so, congratulations: You’ve probably got shadow IT.

What is shadow IT and why does it proliferate?

Shadow IT refers to any device or digital service that is not formally approved of and supported by an organization’s security department. Shadow assets can take many forms: unsanctioned assets, decommissioned services, partners’ vulnerable products, etc. Shadow IT happens in both big and small ways, and although it can happen both accidentally or intentionally, it’s usually not malicious—in fact, it’s often the result of well-intentioned initiatives at both the organizational and individual levels. For example, “lift and shift” digital transformation initiatives are an essential part of corporate growth these days, but they can also result in large pockets of shadow IT. Similarly, complex M&A activities that bring multiple disparate systems together can introduce significant shadow IT. On the small (but pervasive) side, employees introduce shadow IT for a variety of reasons:

  • They are unaware of all the software that has been licensed or purchased.
  • Their preferred application is not corporate-approved.
  • They think the approval process is too slow or not required for free software.
  • They don’t want to put an extra burden on IT, especially if they feel confident about installing and using the applications without technical support.

A more recent cause of shadow IT is the shift to hybrid/remote work and BYOD (bring your own devices), which has blurred the line between personal and business use. Most people would assume that they don’t need permission to install an app on their personal phone or laptop because, well, it’s personal—they don’t recognize that using the device for work means that there are new rules.

What are the costs of shadow IT?

Shadow IT significantly expands an organization’s attack surface, opening companies up to information loss and data breaches. In fact, according to various industry reports, anywhere from 30% to as much as 70% of cyberattacks begin with a company’s external attack surface—and shadow IT is one of the largest attack vectors. Attackers view external-facing assets as back doors into a company’s infrastructure. Companies may invest heavily in protecting their known assets, but shadow assets are outside that protection, making them highly vulnerable. This makes shadow IT a common point of entry for attackers to target…and they only need to succeed with one asset to get into your IT environment. But even if you’re lucky enough to avoid a cyberattack, shadow IT still costs money. For example, say a team buys a SaaS subscription for a tool they like better than the one IT licensed for the company—the money paid by IT is then completely wasted. Additionally, that tool the team purchased is probably taking budgeted dollars from a different part of the company or from another project that could have benefitted instead. Decommissioned services or forgotten assets can have a hefty price tag associated as well. Continuing with the SaaS example, let’s say that the team moves on and new team members use the company-sanctioned software…only no one turns off that unsanctioned subscription. It could be years (or never) before anyone realizes that the company is paying for a service that no one uses. Now imagine this scenario continually repeating all over the company. For decades.

Can you prevent shadow IT?

Prevention starts with education. There are steps you can take to help educate your employees about shadow IT and make it less likely that they’ll introduce it:

  • Provide strong, clear guidance about shadow IT in your organization’s cybersecurity policy. Work with HR and senior leaders to educate and inform all levels of the organization about the risks of shadow IT.
  • Implement a transparent approval process.
    • Define a timeline for approvals (e.g., 24, 48 or 72 hours). This will set clear expectations and reduce the feelings of uncertainty around wait times.
    • Provide full visibility on approved and rejected items, and reasons for rejection. This will encourage employees to seek out approved tools and reduce the number of repeat requests. Fewer requests will also shorten approval times.
  • Provide adequate training on tools so employees are comfortable using the corporate-approved ones.


Illumination with EASM is the first step to elimination

Policy and preventative measures are essential but they will never completely eliminate shadow IT. This is why it is important to take a proactive approach to managing the associated risks by adopting a robust External Attack Surface Management (EASM) strategy. In fact, in February 2022, Gartner identified EASM as a top trend in cybersecurity. With EASM, you don’t simply hope that you’ve prevented shadow IT—you actively seek it out so you can identify it and deal with it. Having a complete view of all your assets and access points, whether they are directly connected to your network or not, is the only way to protect your organization from the costs and risk associated with shadow IT. This is the goal of EASM. In the cybersecurity industry, the most common approach to EASM is to identify external-facing assets via connections to known assets such as the company domain name. This is a simple, solid approach and every company should employ an EASM strategy that does this much as a minimum. CybelAngel goes even further. CybelAngel adds a keyword matching component to identify external assets by matching to keywords in SSL certificates and banners. This combination of methodologies provides an exhaustive view of your external attack surface so you can fully understand and deal with the vulnerabilities that exist. Recently, this approach enabled CybelAngel to identify a decommissioned virtual machine that was costing the organization $50,000 a year to host on Azure—a cost that other tools used in the preceding three years had failed to identify. If you’re interested in learning more about EASM, feel free to contact us or you can take advantage of a free External Risk Preview Assessment. Shadow IT may seem like a low priority but don’t let it get away from you, because you know who’s already looking for your shadow IT? Cybercriminals. Make sure you find it first.