The term Shadow IT is one we often use when talking to our clients, as it neatly sums up the space in which End User Computing Applications, including spreadsheets, sit within an organization. However, I thought it would be worth explaining exactly what Shadow IT is, and the risks and challenges associated with it.

Shadow IT Defined

Shadow IT encompasses applications, systems, devices and services used without the direct approval or management of an IT department. Often these applications integrate with, and work alongside, Enterprise IT systems (SAP, IBM OpenPages etc) to manage the day-to-day business processes organizations rely on.

Many businesses will have found that their Shadow IT estate has increased rapidly in recent years, with the rise of cloud computing and the use of collaboration systems such as Google Docs, Office 365, Slack and Dropbox. The use of BYOD policies has also contributed to the increase in Shadow IT with IT teams unable to truly control employee’s use of devices and the software installed on them.

While Shadow IT applications can often improve user’s productivity & efficiency, the risks associated with these tools is often overlooked.

The Risks of Shadow IT

Without any visibility or controls, Shadow IT applications present a headache for the IT & Risk departments responsible for ensuring data security and regulatory compliance across a business. Gartner estimates that by 2020, one-third of successful attacks experienced by enterprises will be on data located in Shadow IT resources, meaning the pressure is on to ensure that they are used in a controlled and safe way.


If businesses are to enable their end users to use Shadow IT safely, they must take into account its numerous risks:

  • Loss of control of key data – unauthorized USB memory sticks or a manipulated Excel Macro present a risk to data security. Poor quality data could lead to missed opportunities, or lead to misreporting and issues with regulators. It can also expose a business to contractual breaches, and other issues that drive reputational risk.
  • Educating users – without centralized IT control over the various applications and devices that fall under Shadow IT, educating end users is key to maintaining security. Many users will use applications to complete their everyday tasks unaware of the risks their simple spreadsheet, or Dropbox account can pose to their business. Keeping users educated of these risks is a significant challenge.
  • Ensuring compliance – the presence of unmanaged software makes it harder to illustrate compliance with difference regulations applicable to the organization, such as SOX, CCAR/DFAST, SR11-7 etc. Without a way to provide a clear audit trail or automated reporting, businesses often rely on manual processes to achieve compliance, taking both time and money that could be better spent elsewhere.

Regulators are starting to take note of these risks posed by Shadow IT; the PRA & FCA issued a discussion paper outlining their approach to Operational Resilience in the UK Financial Services sector. Amongst other things, this paper covers the need for financial institutions to ensure the confidentiality of data, which effectively brings Shadow IT applications, such as spreadsheets, under regulatory scrutiny.

See our whitepaper for more information on Operational Resilience, Shadow IT and how to prepare your business to mitigate the risks.

Download The Whitepaper
Prev Next

Related Content:

Get In Touch

Let's talk about how you can control your Shadow IT.