The practice of users using unauthorized technology resources to bypass their IT department is known as “shadow IT.”

When users believe that their current IT policies are excessively restrictive or interfere with their ability to perform their jobs efficiently, they may turn to shadow IT techniques.

IT shadows are nothing new

Over the years, there have been a number of instances of extensive Shadow IT use. For example, in the early 2000s, many companies were reluctant to use Wi-Fi because they feared it might compromise their security measures. However, customers frequently installed wireless access points without the IT department’s knowledge or approval because they preferred the convenience of using wireless devices.

The iPad experienced the same situation when it first gained popularity. Because group policy settings and other security measures cannot be applied to iPads, IT departments generally prohibit their use of business data. However, users often ignored IT and continued to use iPads.

Of course, IT professionals finally learned how to secure iPads and Wi-Fi and began implementing them. However, the use of Shadow IT is not always a success story. Users who inadvertently use Shadow IT can potentially cause serious harm to the organization.

The issue of Shadow IT usage still exists today

If anything, the use of Shadow IT has grown over the past few years. For instance, Gartner discovered that between 30 and 40 percent of IT investments (in a large organization) were used to finance Shadow IT in 2021.

Remote work is one factor contributing to the rise of Shadow IT use. It’s easier for users to avoid the IT department’s attention when working from home than when trying to use unlicensed technology inside the corporate office. According to a study by Core, COVID regulations for remote work boosted the use of Shadow IT by 59 percent.

The fact that it is now easier than ever for a user to get around the IT department is another factor contributing to the rise of Shadow IT. Let’s assume for a moment that an IT department rejects a user’s request to deploy a specific workload.

Motivated users can easily create a cloud account using their business credit card. IT won’t have access to this account and may not even be aware that it exists because it is an independent tenant. This gives the user complete impunity to carry out their illicit workload.

In fact, according to a 2020 study, 80% of employees admitted to utilizing unapproved SaaS applications. In addition, the average company’s Shadow IT cloud may be 10X larger than the company’s authorized cloud usage, according to the same study.

Given how easy it is for a user to use Shadow IT, it’s absurd for IT to think that Shadow IT doesn’t exist or that they will be able to identify it. Therefore, the best course of action might be to educate consumers about the dangers of Shadow IT. A person with little IT experience could inadvertently increase security vulnerabilities by using Shadow IT. 60 percent of businesses, according to a Forbes Insights survey, do not consider shadow IT in their security assessments.

Similar to this, using Shadow IT could have legal consequences for a company. In reality, it is often compliance auditors, not IT staff, who ultimately find Shadow IT use.

Of course, educating users alone won’t be enough to stop the usage of Shadow IT. Inevitably, there will be users who choose to ignore the precautions. Likewise, accommodating user requests for specific technologies may not always be in the organization’s best interest. There are plenty of obsolete or poorly developed programmes that could cause serious harm to your company. Forget about programmes that are known to monitor users.

Adopting zero trust may be one of the greatest ways to cope with Shadow IT problems

According to the zero-trust ideology, nothing in your organization should be taken as automatically trustworthy. Each time a device or user tries to access a resource, their identity must be verified.

A zero-trust architecture has many different components, and each organization uniquely implements zero-trust. For instance, some organizations utilize conditional access policies to regulate resource access. In this way, a company doesn’t merely give a user unrestricted access to a resource; instead, it takes into account the user’s intended method of access. Setting limits based on the user’s location, device kind, time of day, or other variables may be necessary.

What is Shadow IT

Increasing the security of the help desk is among the most crucial things a company can do to implement zero trust. Unfortunately, help desks in most businesses are prey to social engineering attempts.

The help desk employee answers the phone when a user calls for a password reset, assuming the caller is whom they say they are, when in fact, the caller could actually be a hacker trying to gain access to the network by calling and requesting a password reset. Password reset requests that are approved without verifying user identity go against what zero trust stands for.


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center