Dancing in the Dark: The Hidden Costs of Shadow IT

The use by business departments and employees of outside software solutions, independent of oversight by the IT department, often brings companies significant benefits. It can also jeopardize business continuity, network security, and data protection—unless the tools’ names are gathered and shared and common-sense precautions are implemented.

[Related: The Cloud Is Not a Magic Kingdom:
Misconceptions About Cloud-Based IT/DR]

The Rise of Shadow IT

Recent developments have made it very easy for departments and employees to independently access outside software and incorporate it into their workflow. This is a rapidly growing trend that has brought significant benefits to many companies.

In most cases, these tools are used without the assistance or knowledge of the BC office or IT department, a situation that has led to their being referred to collectively as shadow IT.

Shadow IT can take many forms

It might be as simple as a department subscribing to a software-as-a-service (SaaS) tool, an employee using a banking or research portal, or an engineer referencing a standards database. Alternatively, it could involve a team building data integrations with an outside application or staff experimenting with AI-based tools such as ChatGPT, Copilot, or Gemini.

These services can be tremendously useful. They help teams move quickly, access needed information, or fill gaps in existing systems. 

But as a result of their off-the-books status, they also bring significant risks. Simply put, if BC and IT don’t know about these tools, they can’t take the precautions needed to ensure they can be used safely.

Three Categories of Risk

While shadow IT comes in many shapes and sizes, the risks it poses fall into three broad categories.

1. Business Continuity

In most cases, the more people rely on a given shadow IT solution, the bigger the vulnerability. This is because, since the BC office and IT department are unaware of it, it’s unlikely anyone has devised and tested workarounds that can be used in the event it goes down (and such services can indeed go down, no matter how big or famous they are).

If the standards database, research portal, or AI tool a department relies on experiences an outage, critical functions might grind to a halt, with potentially serious impacts on the organization overall.

2. Data Security

Many users of shadow IT tools find that one of the most convenient things about them is the ability to copy company data into them for processing. Some people even give shadow tools access to company databases. This is handy for the individual user and might be beneficial to the department and organization. But from the point of view of data security, it might be ill-advised.

Confidential company data can potentially be released or misused through a data breach of the provider or fine print in the service agreement permitting sharing or reuse. Such breaches can harm the organization by drawing regulatory penalties, causing reputational damage, or undercutting competitiveness.

3. Network Security

Tools that connect to company systems or databases can create back doors through which malware may enter. Such openings are like cuts in the skin through which bacteria can invade. Under the right conditions, even small cuts can lead to infection.

In the same way, modest connections between outside software and company networks can provide attackers with a path inside.

These three risks—continuity, data security, and network security—form the hidden cost of shadow IT. 

Bringing Shadow IT into the Light

The good news is, in most cases there is no need for people to stop using their favorite outside software tools, even the ones the BC office and IT department don’t know about. Generally, all that’s needed is for BC and IT to be brought into the loop. 

Learning what solutions people are using allows BC to assess each tool’s criticality and ensure that the needed manual workarounds are created. It allows IT to assess and address the risks to the company’s data and networks. 

How to Enjoy the Benefits Without the Risks

So what can the business continuity office do to contain the risks associated with shadow IT? The process comes down to four essential steps:

• Find Out What Solutions Are Being Used

The first task is to uncover what outside tools are in use. Simply asking people, during the BIA, what applications they use rarely captures the full picture. Employees often overlook the external services they use. A common assumption is that such tools are irrelevant to BC or immune to outages because they are cloud-based or from big-name vendors. We often hear staff say, “We just need internet access,” as if the functioning of the service was guaranteed.

The BC team needs to be persistent and creative in probing for off-the-books tools. Work through a long list of such tools to see if any ring a bell. Emphasize that there’s nothing wrong with using such tools, you just need to know about them to protect against their possible loss. By probing for these less obvious tools, the BC office can develop a more accurate inventory of all applications and technologies used, whether supported or managed by IT or not.

• Assess the Criticality of Each Tool

As part of the BIA, establish how critical each shadow tool is to the department’s and organization’s ability to carry out their mission.

• Seek Manual Workarounds for Critical Tools

For tools deemed critical, ask the department to create a manual workaround that would enable the relevant process to be completed if the tool were unavailable. Over time, those workarounds should be tested to confirm that they work.

• Share the List of Shadow IT Solutions with IT 

Once the inventory of all solutions is complete, it should be handed off to IT and Information Security. They can examine the list for vulnerabilities, determine whether company data is at risk, and put policies in place to mitigate exposures. This inventory may need to be updated as part of the BC plan update processes. (But don’t wait until the BIA update to gather this information.) 

Taken together, these four steps let organizations enjoy the speed and flexibility that shadow IT provides—without leaving themselves open to unnecessary risk.

From Shadows to Safeguards

Fueled by the ease with which employees can adopt outside software, shadow IT is growing fast. These tools often boost efficiency and fill gaps, but their hidden nature means they also introduce risks to business continuity, data security, and networks.

The solution isn’t to ban these tools but to bring them into the light. By uncovering the unofficial solutions in use, assessing their criticality, pressing for departmental workarounds, and sharing the list with IT and InfoSec, organizations can safeguard themselves while still enjoying the benefits.

If you’d like to learn how your organization can manage shadow IT without losing the flexibility it offers, contact MHA today. Our consultants can help you identify hidden risks, strengthen your continuity planning, and build a more resilient future.

Further Reading

• Vulnerable Vendors: Supplier Weaknesses Put Your Organization at Risk
• Trust, But Verify: 7 Best Practices for Managing Vendor Risk
• Let’s Get Critical: Identifying the Vendors You Truly Depend On
• Getting There: A CEO’s Tips for Achieving Operational Resilience
• The Cloud Is Not a Magic Kingdom: Misconceptions About Cloud-Based IT/DR