Tech Talk Roundtable 07-05 | Shadow IT


Picture this: it’s the middle of the night and you are thinking about how to make tomorrow’s lesson more engaging.  You turn to the internet and search through endless lesson ideas and you find that perfect gem, that perfect idea. All you need to do is download  a new application that can be downloaded from the internet or the App store. You download it and start using it with your kids. Kids have to go in and create an account.  It took two minutes because they used their Google or Office365 authentication credentials and they are off and running. Awesome, right? Well … today’s episode is all about all those little apps, software downloads and hardware that make your IT department’s blood pressure rise.  It is called Shadow IT.

Lessons Learned

Dennis – I will make the world’s worst Secret Santa

Daniel – VLC for Mobile is awesome – Share video files over IP address and create playlists.

Chris – Recording feedback is faster than writing feedback, and the kids actually listen!


Fun Fact

A standard “trick” used by telephone tech support people in the 1990’s was to tell you to defrag your hard drive.  This gave them up to an hour of time to stall until they could come up with an actual solution to your problem.


Notes & Links

Shadow IT is the term for hardware, software and applications acquired by an organization’s users without going through the IT department.   Gartner Research says 40% of all IT spending at a company occurs outside the IT department.


  1. Make Sure to Vet Educational Apps
    1. Teachers don’t think they can get the apps they need through official channels in a timely manner.
      1. Strategy: districts can perform their own vetting of in-demand applications. This can be as simple as ensuring the apps come from a reputable source and offer reasonable security and privacy protections for user data.
  2. Educate Users on Shadow IT Risks
    1. An attacker could create a fake application or add hidden, malicious functionality to a good application. When users install the app, they inadvertently install malware on their device. Now the attacker has full access to the users’ data and devices, and can use that access to attack and compromise other district systems.
    2. It’s hard to get buy-in on security and privacy risks
      1. There’s no way the district can be responsible for supporting every product and service people find on their own,
  3. Enforce Network Access Restrictions
    1. One option is to configure network security technologies to prevent the use of selected shadow IT cloud-based services.
      1. Solution: It’s also possible to restrict local apps on devices issued by the school district. For example, mobile devices can be set up to download software only from app stores the district has approved.
  4. Use Security Controls to Monitor for Threats
    1. Monitor web traffic, email and other forms of communication to stop users from accessing malicious websites, domains and other internet-based resources.



Besides security risks, some of the implications of Shadow IT are:


  • Wasted time Shadow IT adds hidden costs to organizations, consisting largely of non-IT workers in finance, marketing, HR, etc, who spend a significant amount of time discussing and re-checking the validity of certain data, setting up and managing systems and software without experience.
  • Inconsistent business logic If a ‘shadow IT’ spreadsheet application encapsulates its own definitions and calculations, it is likely that over time inconsistencies will arise from the accumulation of small differences from one version to another and from one group to another, as spreadsheets are often copied and modified. In addition, many errors that occur from either lack of understanding of the concepts or incorrect use of the spreadsheet frequently go undetected due to a lack of rigorous testing and version control.
  • Inconsistent approach Even when the definitions and formulas are correct, the methodology for doing analysis can be distorted by the arrangement and flow of linked spreadsheets, or the process itself can be wrong.
  • Wasted investment Shadow IT applications sometimes prevent full Return on investment (ROI) from investments in systems that are designed to perform the functions now replaced by Shadow IT. This is often seen in Data warehousing (DW) and Business informatics (BI) projects, which are initiated with good intentions, where the broader and consistent usage of DW and BI in the organization never really starts off. This can also be caused by management failure to anticipate deployment, licensing and system capacity costs when attempting to deliver DW & BI solutions. Adopting an internal cost model that forces potential new users of the DW/BI system to choose cheaper (shadow) alternatives, also plays a part in preventing successful enterprise implementation.
  • Inefficiencies Shadow IT can be a barrier to innovation by blocking the establishment of more efficient work processes. Additional performance bottlenecks and new single points of failure may be introduced when Shadow IT systems layer on top of existing systems. Data might be exported from a shared system to a spreadsheet to perform the critical tasks or analysis.
  • Higher risk of data loss or leaks Shadow IT data backup procedures may not be provided or audited. Personnel and contractors in Shadow IT operations may not be put through normal education, procedures or vetting processes. Originators of Shadow IT systems may leave the organization often leaving with proprietary data or leaving behind complicated systems the remainder of staff cannot manage.
  • Barrier to enhancement Shadow IT can act as a brake on the adoption of new technology. Because IT artifacts, e.g., spreadsheets, are deployed to fill critical needs, they must be replaced carefully. But lacking adequate documentation, controls and standards, that process is slow and error-prone.
  • Organizational dysfunction Shadow IT creates a dysfunctional environment leading to animosity between IT and non-IT related groups within an organization. Improper motivations behind Shadow IT efforts such as seeking job-security (i.e., “Bob is the only person with this data,” or “What will happen if he leaves?”), data hoarding, self-promotion, favor trading, etc. can lead to significant management issues. A 2015 survey of over 400 global CIOs showed 90% of CIOs worldwide find themselves by-passed by line of business at least sometimes. One third (31%) of CIOs globally are routinely side-lined when it comes to making IT purchasing decisions.
  • Effect on IT Departments According to Gartner, by 2015, 35 percent of enterprise IT expenditures for most organizations will be managed outside the IT department’s budget.



Examples of these unofficial data flows include USB flash drives or other portable data storage devices, MSN Messenger or other online messaging software, Gmail or other online e-mail services, Google Docs or other online document sharing and Skype or other online VOIP software—and other less straightforward products: self-developed Access databases and self-developed Excel spreadsheets and macros. Security risks arise when data or applications move outside protected systems, networks, physical location, or security domains.


A 2012 French survey [5] of 129 IT managers revealed some examples of shadow IT :

  • Excel macro 19%
  • software 17%
  • cloud solutions 16%
  • ERP 12%
  • BI systems 9%
  • Websites 8%
  • hardware 6%
  • VoIP 5%
  • shadow IT support 5%
  • shadow IT project 3%
  • BYOD 3%.

Another form of shadow IT comes by way of OAuth connected applications, where a user authorizes access to a third-party application via a sanctioned application. For example, the user can use their Facebook credentials to log into Spotify or another 3rd party application via their corporate cloud app (Google G Suite or Microsoft Office 365). With this access, the 3rd party app may have excessive access to the sanctioned app, thereby introducing up unintended risk.



4 Tips for Controlling Shadow IT

2016 Shadow Data Report

Android Warning: Devious Malware Found Inside 34 Apps Already Installed By 100M+ Users



About miles.mei

Multimedia Specialist

No comments yet.

Leave a Reply

7 + two =


Get every new post delivered to your Inbox

Join other followers:

%d bloggers like this: