The looming threat of Shadow IT

By Peter Fidler, President and founding partner of WCA Technologies

As technology continues to move forward at a lightning pace, businesses and organizations must balance the needs of the workers with the safety and protection of the firm’s data.

In many organizations, the firm is responsible for its own data security as well as that of its clients – this is certainly true in the case of those organizations seen as “trusted advisors” – law firms, accounting firms, even IT (Information Technology) providers.

At no time before has this need been more difficult, or more urgent, than right now.

The introduction of Shadow IT

A growing problem that has become unavoidable lately is that of “Shadow IT”.

Shadow IT refers to devices and applications that access – or run on – the corporate network but which are not approved by the IT Department.  These may include personal devices, such as computers, laptops, tablets, and smartphones brought onto the corporate network from home, as well as applications – such as chat, messaging, and file-sharing apps – that are not approved.

When devices and applications that access the corporate network are unknown to the IT Department – or outright disapproved by the Department – management is unable to monitor their activities and, in turn, this activity becomes a significant threat to data security and compliance.

Forced to find their own solutions

The ease with which workers today can move from home to office, the speed at which many businesses and offices were forced to decentralize, and the proliferation of increasingly sophisticated devices, contribute to the problem of Shadow IT in an organization.

Often, workers may be unaware of the risk that their personal devices pose when these devices are used in the office or workplace, or when they connect remotely to the corporate network. The current pandemic has only made this situation worse – hundreds of thousands of employees are now relying on their home’s Internet connection (cable service, modem, WiFi router) – which were never designed to stand-up to the security and compliance regulations that accompany business use. As a result, missioncritical documents, business data, and personally identifiable information is now traveling across unencrypted networks and being accessed by unsecure devices.

In addition to simply being unaware of the risks of Shadow IT, oftentimes workers – especially those forced into a new environment – will improvise and find solutions on their own. For example, the organization may use a practice management application to run its day-to-day business in the office, but when thrust into a remote work environment, employees may be unaware of how to utilize that application. Needing quickly to access a document or file, for example, a worker may email a copy of that document to themselves instead of securely accessing the practice management application and obtaining the document securely.

Strain on the IT Department

IT Departments are most efficient when they are aware of the business’ needs and able to plan effectively for all scenarios. They are less efficient when they must put out fires and respond to situations that had not been planned for. Research indicates that as much as 50% of an organization’s IT expenditure comes from teams, groups, and business units purchasing and using technology without the IT Department’s knowledge.


  • 63% of employees admit to sending work documents to their personal email account in order to access those documents when working from home;
  • One-third of successful attacks experienced by businesses will be against their Shadow IT resources;
  • 80% of workers admit to using SaaS (software-as-a-service) products of their own choosing on the corporate network.

In fact, it is believed that hundreds of Shadow IT applications are in use on the typical corporate network at any time.


Organizations can learn a lot from examining the Shadow IT devices and applications that its workers are embracing. For one thing, they can discover those areas where the needs of the worker are not being well met by management – or at least, where the workers do not feel their needs are being well met. Is there an opportunity to improve a workflow? Are teams and business units adopting chat applications, project management, video? When these patterns and needs are identified, the organization has an opportunity to provision IT tools that both meet the workers’ needs and conform to proper business compliance standards.

The issue comes down to communication – when the IT Department is made aware of everyone’s needs, it can play the role it is meant to play within an organization: aligning the needs of the business with the safest, most secure technology available.