How widespread is shadow IT in your organisation? There may be more than you realise and it’s on the increase. We look at what it’s telling you, the risks it poses, and what should you do to combat it.
Shadow IT is surprisingly prevalent, and it’s increasing, with the UK mirroring international trends. IT analysts Gartner predict that ‘75% of employees will acquire, modify or create technology outside IT’s visibility’ by 20271. Up from 41% in 2022.
The Government’s National Cyber Security Centre defines shadow IT as ‘the unknown assets that are used within an organisation for business purposes’2. It’s easy to dismissively think in terms of low-level subversion, but Microsoft uses a much broader definition: ‘Shadow IT is the set of applications, services, and infrastructure that are developed and managed outside of defined company standards’3. This hints at rebellion!
What Shadow IT Really Tells You
Subversion and rebellion reflect unmet needs.
If employees are seeking their own technology solutions, it suggests failings with the official set-up. We’ll consider the causes below but first let’s think about the problems back door IT could be causing you.
The Risks of Shadow IT
Shadow IT introduces significant risks to an organisation. When data is held in places IT can’t access, it makes it difficult to enforce policies, maintain audit trails, or respond quickly to incidents.
It can also cause operational inefficiencies and add to overall costs. Duplicating resources, with different tools doing the same things, fragmenting workflows, undermining collaboration, and increasing costs through unmanaged subscriptions. At an individual level it causes confusion, with staff unsure which tools are sanctioned. For the IT team it complicates troubleshooting and integration with core systems.
Worse, unsanctioned apps and devices are not protected or monitored by official cybersecurity measures. Which increases the risk of malware infections and exploitation by threat actors. Where sensitive information is stored or transmitted outside approved means there is also an increased risk of data loss or leakage. Alongside this, use of unauthorised IT will be a regulatory or compliance failure and could incur penalties or fines. Depending on your operations, that might include things like GDPR or PCI DSS
See What's Working & What's Not
Use our Digital Workplace Audit Checklist to quickly assess your M365 setup and start mapping the path to improvement.
Why the Increase in Shadow IT?
There are many reasons why we’re seeing an increase in shadow IT, and the causal factors vary from organisation to organisation and perpetrator to perpetrator.
Often there is dissatisfaction with the existing technology tools – both inside IT and amongst employees. The official tools are, or are seen to be, outdated, lacking necessary features, or poorly aligned to specific workflow needs. The irony is, that with its constant development, Microsoft 365 is already well-equipped to elegantly meet most of your employees’ unmet needs. With new apps, like Viva, adding to these capabilities. Partly this is an issue of perception. For example, many still see SharePoint as the clunky tool it once was, rather than modern, engaging, and user-friendly platform it has become. But there is also a lack of awareness of Microsoft’s true capabilities – not aided by its approach of improving products through a stream of incremental improvements. So, IT are not using already licensed tools and/or employees are not requesting access.
The result is employees pursuing their own solutions. The widespread availability of easy-to-use, low-cost cloud applications makes it easy for employees to adopt new tools. If internal processes allow IT purchases without IT approval, then individuals and departments may bypass IT altogether. We see similar issues occurring when insufficient provisioning governance allows new SharePoint sites or channels to be created at will.
Conversely, too much control can also be a problem. With slow or bureaucratic IT approval processes prompting employees to seek solutions elsewhere, especially if they’re under time pressure.
Additionally, individuals and departments circumvent IT because of a desire for autonomy, internal politics, or a poor understanding of IT’s vision and standards. Employees may not be fully aware of IT policies or the risks of using unapproved tools. There may also be poor communication between IT and business units about available solutions and processes.
Combatting Shadow IT Without Alienation
We’ve already hinted at some of the actions you might take to combat the spread of shadow IT.
Start with a discovery exercise, to understand the scale of the problem. Automated tools, like Microsoft Defender for Cloud Apps4, can help you to identify unauthorised applications, services, and devices. This is unlikely to be a one-time exercise, so support this with ongoing monitoring for the appearance of new apps.
Once you know what you’re dealing with, evaluate the risks associated with each. Consider data access, compliance, and security risks to determine whether it should be sanctioned, restricted, or removed.
However, don’t think just in terms of control. This exercise will also help you to understand ‘unmet’ needs. When we discuss this with clients, we usually find that there’s a mix of things going on. An existing technology, like SharePoint, may need a makeover to increase its appeal and usability. While other needs may easily be met by releasing, or better communicating the existence of, capabilities that already exist within Microsoft 365. There can also be a tendency for hard-pressed IT teams to say ‘no’ because it’s easier than learning and implementing new tools like Viva Engage or Viva Connections. Sometimes there can also be some fear of the unknown involved.
Ensure that there is a clear digital front door, like a SharePoint portal or intranet, or Viva Connections dashboard. The key is to stay ahead of employee needs by proactively providing user-friendly solutions that align with workflow needs – reducing the need for unofficial workarounds.
Communication has a vital role to play too. If you provide people with good tools, that they know about them, and they’re easy to access, most will use them. This may mean improving onboarding and training. It may also mean communicating clear guidelines for technology use, including acceptable applications, device registration, and consequences for policy violations. As well as educating employees on the importance of security and the risks of shadow IT.
If this is starting to sound a little arduous don’t despair. Typically, there are a lot of quick and easy wins to be found. For example, our Beacon tool provides direct and seamless access to essential tools from your intranet homepage, or SharePoint app bar.
You won’t anticipate every need, so encourage open communication with business units, so employees are comfortable raising problems and proposing new solutions. Also consider whether you need to streamline IT approval processes to stop people going rogue. Read how we helped one client to set-up self-service provisioning for new SharePoint sites, Teams, and M365 Groups.
Final Thoughts: Empowerment Over Enforcement
Shadow IT shows that people want to work better. Your challenge is to provide appealing and effective tools, that also meet the security and compliance needs of your organisation. First understand your challenge, through a discovery exercise, and then talk to Silicon Reef. We can help you to eliminate much of the need for shadow IT by providing an appealing digital workplace that enables and empowers.
Get Personalised SharePoint Recommendations
Book a SharePoint audit and get a list of personalised, actionable recommendations for how your university can do more with M365.
See What's Possible with Microsoft 365
Our free Art of the Possible sessions show universities how to maximise SharePoint, Viva, Power Platform, and Copilot — with a tailored session and a custom M365 roadmap.
