Shadow IT

Shadow IT defines the use of computer hardware (workstation, network device, telephony), software or online service not approved by the company’s IT teams.

The term was coined in an October 2012 article by Gartner analysts Richard F. White and Robert W. Tompkins. They described it as “the use of unauthorized software, hardware, applications, and other technologies within organizations that circumvent official procurement processes and IT controls”.

With the adoption of cloud computing, it has indeed become difficult for companies to know exactly all the software used by their employees, the least office automation tool now being hosted in the cloud. In reality, this situation stems from employee frustration. They resort to it because they believe that the IT department was unable to provide the adequate service; or that their requests for new hardware or software have been ignored. So they try to find a solution on their own and in some cases try to bypass firewalls.

However, the use of this unauthorized software compromises the mission of IT teams responsible for guaranteeing the security of information systems.

Why is Shadow IT a problem?

The use of unapproved software by IT teams is not a new phenomenon. According to a study, 80% of employees admit to using a cloud application not approved by their company’s IT department.

The problem with using shadow IT is that the user can potentially share sensitive data without their knowledge. This data could then be used by hackers for reconnaissance or intrusion purposes.

Every day, company employees engage in risky behavior.

Here are some examples:

  • Sharing a password with a colleague on a messaging service not secured by the DSI such as Facebook Messenger or WhatsApp;
  • Publish a file online containing computer data such as an IP; authentication information (login and password), the identifier of a server or a workstation;
  • Save customer data belonging to the company on his personal computer;
  • Host a file on a cloud platform without prior encryption.

Without knowing it, users put their company’s IT security at risk every day. By publishing confidential data without their knowledge, they allow hackers to learn more about the company’s security policy:

  • Mapping of the infrastructure, 
  • Discovery of the security architecture, 
  • Search for vulnerabilities and security flaws. 

Many scenarios are possible.

Recall that according to Gartner, 30% of security incidents in 2020 could have been caused by data published on unauthorized online services. However, we believe that shadow IT is therefore not a phenomenon to be stemmed but to be managed.

How to frame Shadow IT?

Shadow IT must be framed in order to avoid a future cyberattack. Four precise actions are necessary:

1 Make users aware and put them at the center of the security policy.

It is important to make the employee aware of the IT risk. By adopting computer hygiene and good practices, employees reduce the risk of their company being hacked.

By placing the employee at the center of the company’s security policy, he becomes aware of the risks associated with his daily use of IT tools.

2 Detect unauthorized application services.

The detection of Shadow IT can be done through an IT security audit or by monitoring network flows.

Thanks to the correlation of information flows, the SEKOIA.IO XDR solution provides access to an exhaustive view of the company’s security events.

With increased responsiveness, the SOC team can thus identify the workstation in question on the computer park and thus identify its user.

3 Prioritize the risk and offer an alternative.

By analyzing the systems and networks, write a list of these prohibited applications. After performing a digital risk analysis, define whether an app should be banned or not.

Keep in mind that the user cannot have access to an application cut off overnight. It must therefore be accompanied by a list of alternative solutions.

Give it a grace period, allowing it to migrate that information from that banned app to the new app.

4 Update the list of prohibited applications.

Listing URLs and domains related to a cloud service is not easy.

By using patterns, evolve your SOAR automation scenarios (playbook) and disable the resolution of these URLs in your proxy. Users will see an information message warning them that this application is no longer authorized within the company.


As we have seen, the management of shadow IT must be done through a set of steps. After having detected and then analyzed the risk associated with the use of these applications:

  • Raise awareness among users/employees affected by the use of unauthorized tools 
  • And guide them towards an alternative.

Thank you for reading this content on practicing shadow IT. 

If you want to find out how SEKOIA.IO can detect and then block unauthorized software, just make an appointment with an expert by clicking here.

Discover other content on the: