h2g2 Episode 18: What you don’t know can hurt you

A Hitch-Hacker’s Guide to the Galaxy – Developing a Cyber Security Roadmap for Executive Leaders

In this blog series, I am looking at steps that your organisation can take to build a roadmap for navigating the complex world of cyber security and improving your cyber security posture.

There’s plenty of technical advice out there for helping security and IT teams who are responsible for delivering this for their organisations.  Where this advice is lacking is for executive leaders who may or may not have technical backgrounds but are responsible for managing the risk to their organisations and have to make key decisions to ensure they are protected.

This blog series aims to meet that need, and provide you with some tools to create a roadmap for your organisation to follow to deliver cyber security assurance.

Each post focuses on one aspect to consider in your planning, and each forms a part of the Cyber Security Assessment service which we offer to our member organisations in the UK Higher and Further Education sector, as well as customers within Local Government, Multi-Academy Trusts, Independent Schools and public and private Research and Innovation.  To find out more about this service, please contact your Relationship Manager, or contact us directly using the link above.

View all episodes.

Episode 18: What you don’t know can hurt you

“I really wish I’d listened to what my mother told me when I was young.”

“Why, what did she tell you?”

“I don’t know, I didn’t listen.”

Douglas Adams, A Hitchhiker’s Guide to the Galaxy

[ Reading time: 10 minutes ]

Hiding in the shadows

In today’s hyper-connected workplaces, digital tools are everywhere. From cloud storage and instant messaging platforms to project management apps and AI-powered productivity assistants, employees are increasingly turning to technology to work faster, smarter, and more collaboratively. But not all of these tools are officially approved or even known about by the organisation’s IT or security teams.

This phenomenon—commonly known as shadow IT—represents a growing cyber security risk. Left unchecked, it can undermine compliance, weaken defences, and expose sensitive data to malicious actors. Yet, it is often driven by good intentions: employees simply want to get their jobs done efficiently.

In this post, we’ll unpack what shadow IT is, the forms it takes, why it occurs, and most importantly, how organisations can prevent it without stifling innovation.

What is Shadow IT?

Shadow IT refers to any hardware, software, application, or service used within an organisation without the explicit approval or oversight of the IT department. It is not inherently malicious—unlike insider threats or external attacks—but its hidden nature creates serious risks.

Common examples include:

  • Cloud storage services (e.g. OneDrive, Dropbox, Google Drive) used for file sharing.
  • Messaging apps (e.g., WhatsApp, Slack, Discord) for team communication.
  • Unlicensed or free software downloaded to perform specific tasks.
  • Personal devices (laptops, tablets, phones) used to access company systems.
  • Rogue SaaS subscriptions purchased on a company credit card without IT review.
  • Low-code/no-code tools or scripts built to automate workflows.

While many of these tools are useful and widely trusted in consumer contexts, their unmonitored use in enterprise settings creates blind spots for IT and security teams.

The Risks of Shadow IT

Shadow IT might seem harmless—after all, it often involves familiar and popular tools—but it poses multiple cyber security risks:

  1. Data Leakage
    Files uploaded to unsanctioned cloud platforms may bypass corporate encryption, monitoring, and access controls. Sensitive information could be stored in servers outside approved jurisdictions, breaching data protection laws.
  2. Regulatory Non-Compliance
    Organisations subject to GDPR, PCI-DSS, or sector-specific regulations face penalties if data is processed outside approved systems. Shadow IT often means data is handled without required safeguards.
  3. Weak Security Configurations
    People rarely configure shadow IT tools with robust security settings. Default passwords, weak authentication, and lack of logging leave systems vulnerable.
  4. Increased Attack Surface
    Every unapproved app or device adds another entry point for attackers. Unpatched software or poorly secured services are prime targets.
  5. Data Fragmentation and Loss of Visibility
    IT teams lose oversight of where data is stored and who has access. This complicates incident response and forensic investigations.
  6. Financial and Operational Risks
    Duplicate or redundant tools drive up costs. Worse, if a shadow IT service suddenly becomes unavailable, business-critical workflows could grind to a halt.

Why Does Shadow IT Occur?

Understanding the drivers behind shadow IT is crucial to tackling it. It rarely stems from negligence—more often, it reflects gaps between what staff and students need and what IT provides.

  1. Productivity and Convenience
    Staff are under pressure to deliver quickly. If official tools are slow, outdated, or cumbersome, they will seek faster alternatives.
  1. Innovation and Autonomy
    Teams experimenting with new ways of working may adopt SaaS apps or collaboration tools without waiting for lengthy IT approval cycles.
  1. Remote and Hybrid Work
    The rise of remote working has blurred the lines between personal and professional devices and accounts. Staff frequently use personal devices to access organisational resources.
  1. Lack of Awareness
    Not all people realise the risks. A marketing team might see no harm in using a free design tool to collaborate on campaign assets, unaware that data is being shared insecurely.
  1. Cultural Gaps
    Where IT is seen as a “gatekeeper” rather than a partner, colleagues may avoid engaging and simply solve problems themselves.

Types of Shadow IT

Shadow IT isn’t one-size-fits-all. Recognising its different forms helps in tailoring responses.

  1. SaaS Shadow IT
    The most common type, involving cloud-based applications adopted without IT approval. Examples: file-sharing apps, CRM systems, project trackers.
  2. Device Shadow IT
    Personal laptops, smartphones, or USB drives used to access corporate systems or store sensitive data.
  3. Infrastructure Shadow IT
    Developers spinning up virtual servers or cloud instances (e.g., AWS, Azure) outside official governance frameworks.
  4. Process Shadow IT
    User-created scripts, macros, or automation tools that alter workflows but lack security review.
  5. Communication Shadow IT
    Use of unauthorised chat apps, video conferencing platforms, or email services for business communication.
  6. AI Tools
    Use of AI tools like ChatGPT, Copilot and Gemini to boost productivity. This use case is sufficiently important to merit an episode of its own, so I’ll explore this in the next episode: “ChatGPT and friends: why careless talk costs”.

Preventing Shadow IT: A Balanced Approach

Shadow IT can’t be eliminated entirely—but it can be managed and reduced. The goal is to strike a balance between security and innovation.

  1. Foster a Culture of Collaboration
    Encourage colleagues to see IT as an enabler, not an obstacle. Establish clear, accessible channels for requesting new tools or services.
  1. Educate Employees
    Awareness training should highlight the risks of shadow IT and demonstrate secure alternatives. Real-world examples of data breaches caused by shadow IT can be powerful.
  1. Provide Better Tools
    If official IT services are clunky or outdated, staff and students will bypass them. Regularly review whether current tools meet business needs and be open to adopting new, secure solutions.
  1. Implement Cloud Access Security Brokers (CASB)
    CASBs monitor cloud application usage and enforce policies around access, data sharing, and compliance. They provide visibility into unauthorised usage of cloud services.
  1. Adopt Zero Trust Principles
    By verifying every device, user, and application before granting access, zero trust reduces the risks posed by shadow IT.
  1. Control the use of personal (BYOD) devices 
    Develop clear BYOD (Bring Your Own Device) policies, requiring endpoint security, encryption, and mobile device management (MDM) and application management (MAM) solutions.
  1. Monitor and Audit Regularly
    Use network monitoring, firewall logs, and identity and access management tools to detect unauthorised applications and services.
  1. Balance Governance with Flexibility
    Overly strict policies drive people further into the shadows. Create agile governance frameworks that allow for experimentation while maintaining security oversight.

Turning Shadow IT into an Opportunity

Rather than treating shadow IT solely as a threat, organisations can reframe it as a source of insight. Shadow IT often signals unmet needs: people choose these tools because they improve efficiency or collaboration. By listening, leaders can identify gaps in current systems and adopt secure, approved versions of the tools that people already value.

Some organisations even run “technology amnesty” programmes, inviting staff to disclose shadow IT in exchange for support in regularising or replacing it. Others establish innovation sandboxes, where employees can trial new tools within a secure, monitored environment.

Conclusion

Shadow IT is not going away. As digital tools become ever more accessible, employees will continue to experiment with ways to work smarter and faster. The challenge for organisations is to manage the risks while supporting innovation.

By understanding why shadow IT occurs, recognising its forms, and implementing balanced prevention strategies, you can protect sensitive data, maintain compliance, and even harness shadow IT as a driver of digital transformation.

The key is not to stamp out shadow IT with rigid controls, but to build a culture where security, innovation, and productivity work hand in hand.

A final [deep] thought

In the next episode of A Hitch-Hacker’s Guide to the Galaxy, I explore the risks from the use of AI tools like ChatGPT, Copilot and Gemini, and how to ensure that these are used without exposing your organisation to risk.  “ChatGPT and friends: why careless talk costs”.

For now, you can take useful steps forward by checking out your organisation’s asset register.  Do you have asset management tools which list the hardware, software and services in use across your organisation?  Are your procurement processes sufficiently robust, or can equipment, software and services be purchased without oversight and approval?  Are your approval processes agile enough to support innovation?  Do you provide a safe environment in which software and systems can be tested?  Do you have network scanning tools which can quickly identify and report unauthorised devices?  Do you prevent users from installing unauthorised software?  Do you have network controls (like 802.1X) in place to prevent unauthorised equipment being connected to your organisation network?  How can you establish whether shadow IT is a problem, and work to reduce the risks?

Leave a Reply

Your email address will not be published. Required fields are marked *