Experts agree that 2024 will be the year AI invades and transforms work as we know it. With this rise and as remote work becomes the new norm, cyber threats are increasing because employees make common cybersecurity mistakes. One of those mistakes is the rising new trend known as “Shadow IT”—the unsanctioned use of IT systems, hardware, software or services without the approval of the central IT department.
“Shadow IT” is the use of an unapproved tool to access, store or share corporate data or when an employee accesses an approved tool in an unauthorized way. The recent explosive popularity of generative AI applications like ChatGPT have led to a rise in shadow AI, which is the unsanctioned use of artificial intelligence.
The Benefits And Drawbacks Of ‘Shadow IT’
One study found that 80% of company employees adopt “Shadow IT” for their convenience and productivity—they feel they can work more efficiently or effectively using their personal devices and preferred software, instead of the company’s sanctioned IT resources.
To find out more about this phenomenon, I spoke with Kirimgeray Kirimli, president of Flatiron Software, who told me it occurs when an employee chooses a quick fix over company protocols, using computer hardware or software without the team’s knowledge or permission. I asked Kirimli why employees are resorting to this type of under-the-radar behavior. “I’ve seen employees unknowingly create accounts or sign up for services using their personal emails to expedite processes,” he says. “However, when they leave, they need help accessing those accounts, resulting in project delays.”
I also spoke by email with Christopher Budd, director of threat intelligence at Sophos Cybersecurity, who offered several reasons why employees may choose to do this. “One reason is the perception that IT is ‘out of touch’ and not meeting an individual or organization’s particular needs. Another reason can be familiarity: an individual or organization may be more comfortable and familiar with applications than those chosen by central IT. Another reason can be a manifestation of ‘early adopter’ syndrome where an individual or organization wants to adopt new technology faster than the official IT group will.”
“Employees seek out unauthorized software to make their work easier, more efficient, better, or all three,” notes Uzi Dvir, chief information officer at WalkMe. He argues that companies should want their employees to work better and faster and that there are undeniable benefits for both employers and employees using these apps. “However, the fact that employees need to take it upon themselves to find and use unsanctioned software means that they feel something is lacking in the technology tools provided to them,” he adds.
Kirimli agrees that while on the surface this trend might seem beneficial, there’s a downside. “While ‘Shadow IT’ might seem like a quick solution for faster project delivery, its drawbacks are too significant to ignore,” he declares. “Safety standards are compromised, recovering accounts becomes a nightmare and company resources are inefficiently utilized.”
Christopher Budd also concurs, telling me that from a risk management point of view, the risks are huge and the benefits negligible. “There are no actual benefits to ‘Shadow IT’: only illusory ones at best,” he insists. “The drawbacks are clear and huge: data is being stored in locations that the business does not know about; applications are being used that haven’t been vetted for security, privacy and compliance; data can be lost or stolen more easily; the risks of downloading malicious, trojaned or imposter applications is high; because there is no professional IT support, the risks of mistakes and errors that lead to data loss are significantly higher. These are just a few risks, there are more.”
“Convenience is a major reason that shadow IT occurs,” according to Vineet Jain, the co-founder and CEO of Egnyte, a data security startup in Silicon Valley. “Employees sometimes use unauthorized apps or services that make their lives easier—regardless of whether their employer has approved their use of those apps or services. For example, in the early 2000s, cloud technology was becoming more prominent as a way to let workers access the same files and services from any device or share heavy files that couldn’t be attached to emails. Before cloud technology went mainstream, employees were using their own software of choice to access the cloud, bypassing IT in doing so. The cloud eventually got so mainstream that it became a corporate initiative.”
According to Nicolas Desmarais, chair and CEO of AppDirect, “The risk of shadow IT has evolved with the humanization of IT.” He believes the entire issue is completely magnified with the adoption of AI. “Not only are employees using unauthorized technology for their departments, they are now uploading sensitive, corporate information to AI tools that are public and training large language models every day without regulation,” He reveals. “Platforms that empower IT to manage and monitor employees’ use of AI and technology services, like a procurement marketplace, help shift the conversation from IT enforcement, which is failing, to IT enablement, which is the future.”
How To Regulate ‘Shadow IT’
Both “Shadow IT” and “Shadow AI” are growing problems because they are invisible with very real consequences. Kirimli went on to explain that “Shadow IT” is becoming a more significant issue as teams purchase hardware and software without involving IT, which can lead to non-compliance with safety standards and vulnerability to hacking. “Alternatively, a department might abandon hardware, and IT needs to step in to repurpose it so that company resources are well-spent,” he advises.
Dvir points out that it’s not possible to fully secure what cannot be seen, recommending that IT departments must first gain visibility into the true user behaviors of their staff in order to provide the safest way for employees to use these tools. “The goal is to increase efficiency while minimizing risk. Luckily the right AI-based digital adoption platform (DAP) should provide this capability from which IT professionals can bring ‘Shadow IT’ and ‘Shadow AI’ out of the shadows and into the light.”
The answer to “Shadow IT” isn’t to figure out how to eliminate it but how to provide employees with the resources they need to meet business objectives at speed and at scale. Dvir suggests that IT departments must step up, stating that, “The onus is on IT departments to not only provide the right tech tools for employees to do their best work in the most efficient way possible, but also to understand the true landscape of the applications and systems being engaged by their team members. Visibility is the key to taming the great threats of ‘Shadow IT’ and burgeoning ‘Shadow AI’.”