Uncovering and Fixing Shadow IT
How to fix the No. 1 challenge of modern IT & Security teams: Shadow IT
- Over 60% of the apps used in companies are Shadow IT.
- Because it's impossible to protect what you don't know, Shadow IT has become the No. 1 challenge for modern IT and Security teams:
- Over 80% of security breaches are identity-related, largely driven by Shadow IT.
- The more access identities have, the more imminent are Insider and Outsider Threats as well as Vendor Risks.
- But why has gaining visibility into apps become so difficult? How do shadow tools turn into ticking security bombs? And what can companies do to regain control? Discover insights from leading IT and Security experts in this practical guide.
For a second, imagine the employees in your company can rent and lease cars at any time. They do this directly, without informing anyone. Still, they do it in the name of the company.
Some employees take sensitive documents with them into the cars—and just leave them there. Some people rent multiple cars but don't really use them. Some cars are just parked and never returned.
Additionally, most people use the same key for all their cars—so if you have one key, you get access to several other cars, including the sensitive documents.
And you, as the central person in charge, have lost control—which is not your fault at all.
This is a scenario that no company in the world would ever accept. Yet, companies do accept the very same thing with regards to the apps their employees access.
That's why Shadow IT is the No. 1 challenge for modern IT and security teams.
1: Why Shadow IT is exploding
Up to 60% of the software used in companies is unknown:
There are three key reasons why Shadow IT is out of control in almost every fast-moving company.
There is an app for everything
With the explosion of SaaS apps, APIs, LLMs, etc. there is a tool for everything. Marketing, Sales, Product, Design, Engineering, DevOps, Finance, HR, Operations, Project Management, Legal—every function is literally leveraging apps.
This vast availability enables employees to find and use applications that meet their specific needs—increasing productivity. But this comes at a high cost: the more applications available, the greater the visibility challenge for IT & Security teams.
Distributed access
It's not just that there's an app for everything; the way we access these apps has also significantly changed: Nowadays, employees directly access and introduce applications, which is a fundamental paradigm shift in IT.
In other words, BYOD (”Bring Your Own Device”) has evolved into "Bring Your Own App." And IT & Security are in the dark. This explicitly includes the vast amount of freemium apps that are introduced also without finance knowledge—and an unknown free app is the same security risk as a paid unknown app.
As a consequence, every employee has become a "little IT admin", managing tools, granting access, and revoking permissions. That means: IT security and compliance have become distributed responsibilities.
However, most employees lack the expertise to contribute to this responsibility—which is not their fault.
Lack of security knowledge
Employees are now responsible for important aspects of IT security and compliance but lack the required security expertise. Still, they should manage the approval and removal process for the apps they own. They should check security settings like MFA and ensure that no sensitive data is stored in their applications without permission. How can employees accurately handle these responsibilities if they are not trained in security?
2: Why Shadow IT is a major security and compliance issue
Over 80% of security breaches are identity-related, and Shadow IT significantly drives these risks. The more access identities have, the higher the risk of an incident.
How Shadow IT becomes a security threat
A very simple but very true rule in security says that you cannot protect what you do not know. This means that tools unknown to IT cannot be properly secured.
Generally speaking, there are three areas where Shadow IT increases the likelihood of a security incident:
Increased Insider Risks due to a lack of monitoring
Companies with a large amount of Shadow IT are specifically prone to Insider Risks.
Insider risks originate from within a company and can be employees, contractors, or partners - essentially everyone with access rights. There are different types of insider threats - malicious or unintentional:
- Malicious insider: An insider is intentionally leaking sensitive data.
- Negligent insider: Data is being leaked due to careless behavior, e.g., employees uploading sensitive data to a non-secure database.
- Accidental insider: An employee is clicking on a phishing email, leading to a malware infection or a breached password.
Due to the inherent trust and access granted, Insider Risks are specifically challenging to detect.
The equation is simple: the more access points created by unknown tools, the higher the Insider Risk—whether it be a malicious or unintentional threat.Why? Because IT teams cannot ensure that single sign-on (SSO), two-factor authentication (2FA), or data loss prevention (DLP) are activated on applications they are not aware of—just to mention a few typical examples.
Outsider risks in dormant accounts
Dormant (i.e. inactive) accounts are a typical consequence of Shadow IT and pose a significant risk. These accounts can belong to:
- Employees who have stopped using a tool.
- To former employees who have left the company and whose access has not been removed (as it was Shadow IT).
Dormant accounts are a typical entry point for outsiders. Hackers can gain access to these accounts through methods like brute forcing.
Why are dormant accounts so critical when it comes to outsider activities? The lack of oversight of dormant accounts means security alerts or unusual activities may go unnoticed, giving hackers more time—and time is critical in security.
Once hackers gain access via dormant accounts, they often use these entry points to infiltrate other software and systems within a company, moving laterally through the network and potentially causing extensive damage.
That’s why Shadow IT is a strong driver of Outsider Risks.
Vendor Risks
When employees use unauthorized tools, they may store sensitive data on platforms that do not comply with the company's security standards. Coming back to the comparison with rental cars at the top: imagine a company has a policy that employees can only rent cars that have a valid technical certificate and that are properly registered—but nobody actually takes that into account. That’s a vendor risk.
If employees e.g. store data on tools with insufficient security posture, these tools might have inherent data leakages—putting data at risk. Since IT and Security teams are unaware of these Shadow IT applications, they cannot apply any internal protective measures—making Shadow IT a typical driver of Vendor Risks.
Recent data breaches
Recent data breaches have underscored the severe risks associated with Shadow IT and shadow data.
For instance, Santander and Ticketmaster experienced significant breaches in 2024 linked to unauthorized access through the data cloud provider Snowflake. The Santander breach impacted 30 million customers and employees, compromising account details and credit card numbers. The Ticketmaster breach affected 560 million customers. Both incidents were traced back to a dormant demo account from a former Snowflake employee, highlighting how inactive accounts can become critical vulnerabilities if not properly managed and deactivated.
Similarly, the 2024 breach at AT&T affected 73 million customers, exposing sensitive information such as names, addresses, phone numbers, and Social Security numbers. Hackers known as ShinyHunters accessed data that had been stored since 2019, releasing it on the dark web. Initially, AT&T denied the breach, but later confirmed the data's legitimacy when user passcodes were found in the leaked archive, forcing a reset of 7.6 million current accounts.
Again, you can’t protect what you don't know …
Shadow IT, certifications, and GDPR
Security breaches are one negative consequence of Shadow IT—non-compliance with your certifications and regulations is another.
Certifications
Companies certified under ISO 27001 or SOC 2 cannot afford a significant amount of Shadow IT, as this would breach their access control policies. Non-compliance with these certifications can lead to financial damages, as most companies are certified to meet the security standards required to service their customers.
GDPR
Also, unauthorized applications lacking GDPR standards can become an issue for companies. If employees use non-GDPR compliant apps and store customer data on these apps, your company could be found in violation of GDPR regulations. If your IT team is not aware of this, they can't take any proactive measures to prevent these violations.
3: How to fix Shadow IT
Given the distributed nature of access to apps, APIs, and LLMs, tackling Shadow IT is very complex.
However, IT and Security teams are not helpless. They can fight back and regain control with effective Shadow IT management.
By far, the most impactful way to fight the origins of Shadow IT is by implementing proper Access Management.
Asset Inventory
- Establish an Asset Inventory: List all your apps in an asset overview. Differentiate between sanctioned and non-sanctioned applications, with sanctioned apps being your critical apps. Every employee should contribute to the asset inventory.
- Step 1: Hands-on Approach for Younger Companies: Start with a simple, hands-on approach. Use a spreadsheet to track applications. While this method is not scalable in the long term, it's a good start for smaller or younger companies.
- Step 2: Use Software Solutions: Utilize software solutions that provide visibility into all apps. These tools can automatically discover and categorize applications used within your organization.
Employee-friendly Access Controls
- Implement Access Controls: Establish a robust Access Management process. Strict access controls are essential to manage and prevent further Shadow IT. This process should follow the principle of least privilege—i.e., employees only get access to the very applications they really need, avoiding over-provisioning.
- Winning employees: Any access management approach is worthless if you can’t ensure that your employees adhere to it. Here’s how to achieve this:
- Explain to your employees why access controls matter; make this a management priority!
- Implement an approach that is easy to follow. If you create a cumbersome process monster, people will not follow it and might even proactively work against it.
- Incorporate value for employees. While you want to limit access and implement least privilege, help your teams get access to all actually needed tools as quickly and seamlessly as possible. This will drive employee compliance with your process.
RBAC
- Role-Based Access Control (RBAC): Use RBAC to grant employees access only to the apps they need for their roles. This minimizes the risk of unauthorized access and ensures that permissions are aligned with job responsibilities.
- Time-Based Access: For any exception from the RBAC, users should in general only get time-based access.
Access Reviews
- Run regular Access Reviews: Conduct regular access reviews, ideally quarterly. These reviews are a valuable way to remove unused seats and ensure access permissions are aligned with current job roles and responsibilities. Often overlooked, access reviews do not only significantly enhance your security posture but also reduce SaaS costs by eliminating unused subscriptions.
Clear Offboarding Process
- Offboarding Checklist: Implement a clear offboarding checklist. Implement a policy that every single seat has to be removed in any user offboarding. Normally, either team leaders or app owners have to implement this—with IT being in charge of the overall process.
- Sync visibility and offboarding: Use your asset inventory (see above) as your baseline. No visibility no proper offboarding!
- Automated Deprovisioning: Use automated deprovisioning tools to revoke access to all company resources immediately when an employee leaves the organization. This is step 2 though.