November 17, 2023

9 Shadow IT Risks (And How to Avoid Them)

Security & Compliance

There’s no point triple locking your door if you leave a window wide open. Here’s 9 eye-watering shadow IT risks to beware of—and how to mitigate them.

Pablo Cancio

There’s no point triple locking your front door if you leave a ground floor window wide open. 

Similarly, your efforts to choose company software with robust security features will go to waste if you don’t also get a handle on shadow IT. That is, the phenomenon of employees using unauthorized software of their own choosing, instead of requesting tools through central channels. 

According to Cledara’s recent study, the prevalence of shadow IT in business is shockingly high. In fact, it makes up 65% of all software usage during working hours. Here are 9 reasons that are a cause for concern—and what you can do to mitigate the danger to your business.

9 Shadow IT Risks**

When your team chooses their own tools without supervision, these are the dangers your company is exposed to. Here are nine risks you should be aware of.

1. Risk of data breaches

When employees keep company data on nonstandard tech, your IT team has no way of securing it against breaches. They can’t implement 2-factor authentication, control who has access to it, or check that it has sufficient security features in the first place.  What’s more, employees risk breaches when they transfer data between sanctioned and unsanctioned tools—especially if that data isn’t encrypted, or sent over secure networks. 

Unfortunately, plenty of cautionary tales testify to this. In 2021, Insight Global, a company contracted to manage Pennsylvania’s COVID-19 tracing efforts, faced a data breach that compromised the personal information of around 70,000 people. Why? A handful of team members set up Google accounts to share information—an ‘unauthorized collaboration channel’, leaving the data exposed to third parties.

2. Risk of external attacks

More than data simply becoming exposed,  shadow IT also increases the risk of successful strikes by cyber attackers.  Every piece of unauthorized tech your team uses is a chink in the armor, ready to be exploited. 

By Gartner’s estimations, one-third of successful attacks on enterprises are on data located in shadow IT resources. Unauthorized applications don’t undergo the same rigorous security checks your authorized ones do—and could easily become vectors for malware or phishing scams.

3. Risk of information silos

Not all of the risks of shadow IT involve external threats. The use of nonstandard tools can also create problems closer to home. When different teams use, for example, different project management software, it becomes far harder for them to share information between each other. 

When projects are only recorded in shadow tools, they lack internal visibility. This can mean different teams repeat the same work, or that employees take business decisions based on incomplete information. This isn’t just inefficient—it can also corrode company culture. Employees may become frustrated with each other, leading to unnecessary interpersonal conflict. 

When information is siloed rather than shared, employees may lose sight of the fact that they’re all on the same team, working towards the same business goals.

4. Risk of data loss or damage

When employees take it upon themselves to introduce unauthorized tools, the data they put into those tools leaves the company’s sphere of control. Whatever checks and balances you might apply to information held in a central source of truth are no longer being applied.

If an employee edits a record held in a shadow IT tool, there’s no way of knowing whether that change is an update or a mistake. This can have serious consequences—in the case of medical records, for example, changing a single line can affect whether a patient gets the appropriate treatment or not.

What’s more, if that employee leaves the company, the choice of whether to pass on access to this shadow tool is entirely at their discretion. They may not get round to it,  and render essential data unrecoverable.

5. Risk of non-compliance fines

Even if—against all odds—the actual use of shadow IT doesn’t negatively impact your business, getting caught using it still might. Many countries now have data protection laws, and are not shy about hitting rulebreakers with fines. If you’re doing business in Europe, you must obey GDPR laws; if you’re operating in the US, you must comply with an ever-evolving patchwork of state-level regulation. Lose control of your data to shadow tools, and it may be difficult to even scope out which laws you’re violating. 

This is doubly true for highly regulated industries like healthcare and finance, where sector-specific laws apply—for example in the US, the Health Insurance Portability and Accountability Act (HIPAA) governs medical information, and the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their data-sharing practices. 

Finally, if your business holds a SOC 2 or ISO 27001 certificate—recognized industry standards for information security and data protection—shadow IT puts that at risk. Alarmingly, our recent study revealed that companies who claim compliance with one or both of these frameworks actually use 35% more shadow IT than average. Unauthorized tech could easily cause a company to fail its audit, and forfeit their hard-won security certificates—as well as the credibility that comes with them.

6. Risk of overspending

Shadow IT is a thrifty IT department’s nightmare. How can you reduce software costs if you don’t know what you’re spending? When tools aren’t purchased through a central channel, the money to pay for them comes from places other than the software budget—cards allocated to different teams or project managers. Your company could be paying to access different tools with overlapping functionality, or for seats that are no longer being used—you’d never know.

In fact, Gartner estimates that 30% of software spend worldwide is allocated to unused and duplicated tools. Spend that doesn’t yield any returns and could be avoided.

What’s more, when IT is purchased in the shadows, there’s no accountability to make sure it gets used. Employees could register for subscriptions, forget about them, and keep those costs rolling unchecked for months. The chances of this increase when employees leave the company or change departments.   

The good news is that if you’ve got a problem with shadow IT, clamping down on it will probably come with a huge financial reward.

7. Productivity risk

Shadow IT makes it very hard for the IT team to put the right software tools in front of the right people. You can't give access to tools you don't know exist… Nor train new joiners to use those effectively.

In addition, it’s very rare to find Shadow IT that’s connected to your main systems. This lack of data flow is detrimental to productivity. For example, a sales representative might pull contacts for a sales campaign from tools that are not connected to your CRM. This can result in sales emailing current customers or existing deals that are being worked by fellow sales colleagues.

8. Risk of damaging your reputation

A data breach isn’t a good look at anyone. If your company falls foul of a security-related danger of shadow IT, its reputation is also at stake. Your business may make headlines for cutting corners and neglecting its duty of care to customers

This is especially true if the incident reveals your level of software insecurity broke the law—or flouted the rules of a security certificate you used to market your services.

9. Risk of extra IT workload

Finally, Shadow IT can increase your IT department’s workload. Shadow IT is often only revealed to central software buyers when it starts to cause problems. For example, when teams decide to collaborate and realize they’re using incompatible unauthorized tools, they might ask the IT department to step in and untangle the mess. 

IT must find the best solution to system incompatibilities, and decide which of the two tools should take precedence. They must then manage the safe transfer of data from the tool that’s not chosen, and onboard new members onto the preferred one. These data migration tasks often come ad hoc and loaded with time pressure. It’s far more efficient for software to be procured centrally from the beginning.

What’s the solution to the Shadow IT issue?**

There are two potential solutions to the problem of shadow IT. However, only one of them can be implemented overnight.

The first solution—the long game—is bringing about a culture shift in your company. The real reason employees don’t request software through official channels is that they don’t feel it’s necessary. The vast majority of the time, employees believe they’re acting in the business’s interests to start using new tools quickly. The responsibility for a culture that allows shadow IT is diffused across a company, so challenging it means changing employees' attitudes en masse with education and encouragement. 

The second solution—something you can action immediately—is to install SaaS management software on your employees’ hardware. With a tool like Cledara, you’ll gain visibility over the tools your employees use and how much time they spend on them, leaving no space for shadow IT to hide (whilst, of course, respecting your team’s privacy by capturing minimal information). 

You’ll also be able to centralize your subscriptions, and upgrade, monitor, or cancel software accounts from one simple interface. In a world where over 30% of software spend is wasted, businesses find the solution pays for itself.


Turning a blind eye to shadow IT is, as we’ve seen, a very dangerous game. Yet paradoxically, teammates often adopt unauthorized tools for motivations you might otherwise hope to encourage—in an effort to work more efficiently, or boost productivity. 

Employees value being able to choose their software themselves and pick new tools up quickly. Any effort to reduce shadow IT should keep this in mind. As one possible solution, Cledara can streamline your SaaS buying, making it far quicker for your IT team to validate and subscribe to new tools. 

Whichever way you seek to tackle shadow IT, remember to try and work with your teams’ desire for software self-determination—and not against it!



Subscribe to our newsletter

Receive the latest insights in your inbox

Pablo Cancio

Pablo is a startups enthusiast and the Chief of Staff to the CEO at Cledara. He's seen Cledara scale to 1,000 customers in 29 countries in just three years. When not in Cledara, find him with skis under his feet.

Share this post

Subscribe to our newsletter and stay informed on the latest SaaS insights

Explore more

Explore more

IT Governance Framework: A Guide for Enterprise Companies

IT governance is a formal way to integrate an IT strategy into an organization's business strategy. In this post, we’ll cover everything you need to know about it.
Read more

How To Protect Your Business From Toll Fraud

Business fraud can take many forms. Learn what toll fraud is and how you can protect your business with Cledara.
Read more

Process Documentation for Startups: How To Get Started + Best Tools

Documenting processes can help you optimize your workflow and reduce the growing pains of scaling your startup. Here's how to get started.
Read more

Password Management Tips for SOC 2 Compliance

The right tools will help your company pass through a SOC 2 audit with ease.
Read more

EBA Guidelines on Outsourcing Arrangements: Everything You Need to Know

Learn how to easily navigate around the latest compliance requirements by the EBA for outsourcing arrangements.
Read more

Why SaaS Management Will Help You Achieve the ISO 27001 Certification

How a proactive approach to understanding and controlling your software subscriptions can ease your road to ISO 27001 compliance
Read more

UK Companies to Comply with EBA Guidelines for Outsourcing Arrangements amid Brexit and COVID pandemic

We dug into the latest public statements by PRA and FCA on the EBA Guidelines and give you actionable advice on how to tackle their latest updates.
Read more

2020 GDPR Fines on the Rise

How one chat bot cost Ticketmaster more than a million pounds and what you can do to avoid the same fate.
Read more

SaaSOps: Your IT Team's Latest Security Challenge

COVID has accelerated migration to the cloud. And has also exposed the security of your IT structure like never before. We give you seven tips for IT professionals to tackle these new challenges.
Read more

New EBA Outsourcing Guidelines: What SaaS is Considered Critical or Important?

We dig into the jargon behind the regulation to help you understand what needs to be done with your SaaS
Read more

The Way Fintech Startups Buy SaaS is About to Change Forever

New Outsourcing Guidelines from UK and European financial regulators set new requirements for the way regulated fintech startups and other financial services companies buy and manage their SaaS.
Read more

GDPR Fines and Lessons for Startups

GDPR fines are getting larger and more frequent. An average fine is now more than $500,000, making a GDPR fine equivalent to a whole seed round!
Read more