Companies spend a lot of money on purchasing computer equipment. Hardware purchases can be in the form of both end-user devices such as laptops, desktops, and mobile phones, but also includes other computer hardware such as servers and networking equipment. Companies can also spend huge sums of money on software to run on the hardware. Collectively, these are official infrastructure, as the company has approved their use for business purposes.
Shadow IT is the name for unofficial infrastructure, where people have started using unapproved devices, software, or cloud services. Shadow infrastructure doesn’t need to necessarily even have a business use. For example, if a company bans BYOD, aka Bring Your Own Device, and an employee connects their personal mobile phone to the corporate network, that still counts as shadow IT. This is because the device is connected to a company network from where it could spread malware, etc if it had been compromised.
Unapproved software is also classed as shadow IT. As the software will be running on company computers, it could negatively affect the performance or security of the devices or networks. The main risks of unapproved software are it not being updated or the user getting an unofficial and malware-laden copy.
Cloud IT services are a relatively recent part of shadow IT which can be used to process data, the problem is these services may fall outside of the company’s legal duty to protect the data and not transfer it to other companies. Unapproved cloud services are also significantly less likely to go through a proper hardening process making them more likely to be vulnerable to hacking attempts.
Shadow IT is not an easy risk to prepare for and handle because by definition the exact issues and the risks they pose are unknown. The only way to prepare for them is to create procedures and plans and to have clear consequences for breaking the rules. It’s also particularly important to ensure that official procedures to request equipment etc properly are easy to use, as this reduces the chance of employees resorting to doing something they shouldn’t because it’s easier.