Home » Shadow IT

Shadow IT

Shadow IT defines the use of computer hardware (workstation, network device, telephony), software or online service not approved by the company’s IT teams.

The term was coined in an October 2012 article by Gartner analysts Richard F. White and Robert W. Tompkins. They described it as “the use of unauthorized software, hardware, applications, and other technologies within organizations that circumvent official procurement processes and IT controls”.

The power of CTI during malware incident analysis replay with Glimps

With the adoption of cloud computing, it has indeed become difficult for companies to know exactly all the software used by their employees, the least office automation tool now being hosted in the cloud. In reality, this situation stems from employee frustration. They resort to it because they believe that the IT department was unable to provide the adequate service; or that their requests for new hardware or software have been ignored. So they try to find a solution on their own and in some cases try to bypass firewalls.

However, the use of this unauthorized software compromises the mission of IT teams responsible for guaranteeing the security of information systems.

Why is Shadow IT a problem?

The use of unapproved software by IT teams is not a new phenomenon. According to a study, 80% of employees admit to using a cloud application not approved by their company’s IT department.

The problem with using shadow IT is that the user can potentially share sensitive data without their knowledge. This data could then be used by hackers for reconnaissance or intrusion purposes.

Every day, company employees engage in risky behavior.

Here are some examples:

  • Sharing a password with a colleague on a messaging service not secured by the DSI such as Facebook Messenger or WhatsApp;
  • Publish a file online containing computer data such as an IP; authentication information (login and password), the identifier of a server or a workstation;
  • Save customer data belonging to the company on his personal computer;
  • Host a file on a cloud platform without prior encryption.
Watch the replay of the Webinar on Sigma Correlation

Without knowing it, users put their company’s IT security at risk every day. By publishing confidential data without their knowledge, they allow hackers to learn more about the company’s security policy:

  • Mapping of the infrastructure, 
  • Discovery of the security architecture, 
  • Search for vulnerabilities and security flaws. 

Many scenarios are possible.

Recall that according to Gartner, 30% of security incidents in 2020 could have been caused by data published on unauthorized online services. However, we believe that shadow IT is therefore not a phenomenon to be stemmed but to be managed.

How to frame Shadow IT?

Shadow IT must be framed in order to avoid a future cyberattack. Four precise actions are necessary:

1 Make users aware and put them at the center of the security policy.

It is important to make the employee aware of the IT risk. By adopting computer hygiene and good practices, employees reduce the risk of their company being hacked.

By placing the employee at the center of the company’s security policy, he becomes aware of the risks associated with his daily use of IT tools.

2 Detect unauthorized application services.

The detection of Shadow IT can be done through an IT security audit or by monitoring network flows.

Thanks to the correlation of information flows, the SEKOIA.IO XDR solution provides access to an exhaustive view of the company’s security events.

With increased responsiveness, the SOC team can thus identify the workstation in question on the computer park and thus identify its user.

3 Prioritize the risk and offer an alternative.

By analyzing the systems and networks, write a list of these prohibited applications. After performing a digital risk analysis, define whether an app should be banned or not.

Keep in mind that the user cannot have access to an application cut off overnight. It must therefore be accompanied by a list of alternative solutions.

Give it a grace period, allowing it to migrate that information from that banned app to the new app.

4 Update the list of prohibited applications.

Listing URLs and domains related to a cloud service is not easy.

By using patterns, evolve your SOAR automation scenarios (playbook) and disable the resolution of these URLs in your proxy. Users will see an information message warning them that this application is no longer authorized within the company.

The power of CTI during malware incident analysis replay with Glimps


As we have seen, the management of shadow IT must be done through a set of steps. After having detected and then analyzed the risk associated with the use of these applications:

  • Raise awareness among users/employees affected by the use of unauthorized tools 
  • And guide them towards an alternative.

Thank you for reading this content on practicing shadow IT. 

If you want to find out how SEKOIA.IO can detect and then block unauthorized software, just make an appointment with an expert by clicking here.

Discover other content on the: SOC, STIX, CTI, XDR, EDR.

We provide SOC and MSSP teams with a turnkey operational security platform (SOC platform). Through our XDR platformCTI tool and threat intelligence platform, we enable our users to neutralize cyber threats, regardless of the attack surface.

Watch the replay of the Webinar on Sigma Correlation

Others Terms

SEO poisoning(Search Engine Optimisation poisoning)

SEO poisoning is a method used by cyberattackers to position malicious websites in the best search engine results.

IoC(Indicator of compromise)

IoC (Indicator of compromise) is qualified technical data that makes it possible to detect malicious activities on an information system. These indicators can be based on data of various types, for example: a file hash, a signature, an IP address, a URL, a domain name… but in all cases, the technical data alone (observable, see this word) is not enough to talk about IoC.

Échangez avec l’équipe

Vous souhaitez en savoir plus sur nos solutions de protection ?
Vous voulez découvrir nos produits de XDR et de CTI ?
Vous avez un projet de cybersécurité dans votre organisation ?
Prenez rendez-vous et rencontrons-nous !

Chat with our team !

Would you like to know more about our solutions ?
Do you want to discover our XDR and CTI products ?
Do you have a cyber security project in your organization ?
Make an appointment and meet us !