Shadow IT: An Underestimated Risk

Using Shadow IT is a security risk for the German economy, according to the recent Security Report 2016 by eco - Association of the Internet Industry. The alarming result comes from a survey among 580 IT experts in German, mostly medium-sized companies. Shadow IT is a catchword for unauthorised hard and software as well as cloud services that exist independent from an organization`s IT and endanger sensitive corporate data. Around one third of the surveyed experts believed that there is Shadow IT being used in their companies, 23 percent think this happens on a considerable scale. Only 16 percent said there was none. But what makes applications that seem to make sense for the user so dangerous for companies? And how can more companies go from the shadow to the sunny side of IT?

Björn Bröhl, Head of Marketing Communications & Sales, comments:

BJB_19x19 Klein.jpg“Many companies underestimate the security risks that come with Shadow IT. It develops over time and co-exists as an unofficial system independent from the official one. IT departments do not always know about these sub-systems: other departments may, for example, transfer whole functional fields into the cloud without ever consulting internal IT experts. In these scenarios, the wish to improve department processes brings into existence a new Shadow IT system which collides with the organisation`s security requirements – an unwanted effect that individual departments will often not understand in all its consequences.

Shadow IT Makes Companies Vulnerable to Attacks

There is one great problem with these systems that run under the IT department radar: They are neither strategically nor technically integrated in the organization`s IT service management. Consequently, they do not meet the data security, data integrity, and data protection requirements as defined in the IT guidelines, thus making corporate IT vulnerable to outside threats.

What is more, Shadow IT will not be taken into account for digital transformation development and can, in a worst-case scenario, cause technical problems in co-operation with official IT systems.

Problems with Compliance Requirements

More potential for conflict comes from compliance. Using Shadow IT often goes along with the establishment of processes within individual departments that violate compliance rules. However, it must be noted that there are compliance breaches even earlier in introducing and using Shadow IT.

Fighting Shadow IT

From an individual department`s perspective, implementing Shadow IT may be plausible. For management and IT, however, the risks will outweigh the benefits. How can digital transformation be successful with hidden IT that is not managed by an organization`s IT experts? How can an integrating solution be implemented across an organization when individual employees stick with their own development, Access application, or Excel file? Another even more central question: How can IT security and compliance be guaranteed with numerous applications that only selected users know about?


This is why fighting Shadow IT must be a central issue on any company`s agenda. Their vulnerability through sub-systems grows with the development of digitalization. Our experience suggests that constructive dialogue is a good first step. The departments are made aware of the issue and can explain why authorized systems do not meet their needs. Initiating this dialogue and identifying existing shadow IT is the first hurdle to remove these hidden structures.”

Trivadis triCast on Shadow IT

We hosted a webcast on Shadow IT on February 21, 2017 where we explained the risks and opportunities from using Shadow IT, and gave practical advice on how companies can work on solving the problem. Click here for a recording and the corresponding material.

triCast the Trivadis Webinar

Further Information:

Bildquelle Schachfigur: Pixabay/Pexels

Topics: Digital Business Transformation Security Comment