Editor’s Note: Steve Cobb is Chief Information Security Officer (CISO) for One Source, a Greenville, N.C.-based managed services provider (MSP).  The company was among those nominated for an award from NC TECH.  Cobb possesses more than 25 years of business IT leadership on strategic deployment of IT infrastructure, cybersecurity, incident response, and cyber threat intelligence.  This article is exclusively published on WRAL TechWire and follows a WRAL TechWire article published earlier this year.


GREENVILLE – As digital transformation accelerated during the COVID-19 pandemic, many companies saw increasing tension between maintaining control over IT assets and policies and giving employees more flexibility amid a changing work environment.

Many adopted new applications to accommodate remote workforces and streamline operations, causing IT environments to become increasingly decentralized.  This proved effective in managing pandemic-related challenges, but in many instances it accelerated a gap between business units and the IT department known as “shadow IT.”

The intentions behind shadow IT can be positive, and usually stem from the desire to ensure operational teams are solving their own problems to serve their customers and make employees’ jobs easier. However, if left unchecked, over time it can become a cybersecurity, operational and financial burden.

As companies navigate the evolving IT landscape, here are a few steps to help identify and manage shadow IT.

5 cybersecurity risks posed by ‘shadow IT’

Sorting the pieces

One of the inherent risks that comes from shadow IT is the increasing likelihood of uncontrolled data flow, which can lead to a host of security and compliance issues. Because of these risks, Gartner has previously estimated that by 2020, a third of successful attacks experienced by enterprises would be on their shadow IT resources.

To help combat these dangers, businesses must gain a better picture of their whole technology environment. Revealing shadow IT may unintentionally trigger budgetary and political tension within an organization. This is often a reaction to reducing necessary expenses and containing cyber risks. Of course, companies can only improve what they can see.

Cybersecurity talent twist: Instructor shortage ‘biggest challenge’ at Wake Tech

1. Audit + discover

Discovering shadow IT can be a daunting task that is often met with great reluctance, but it can save an organization money in the long run.

Businesses can start by going directly to employees and inquiring about technologies or services they use for their day-to-day tasks.

These initial conversations may help identify any unsanctioned technologies and understand why employees use them.

It can also be helpful to follow the money trail—analyzing statements from the accounting department to decipher where decentralized spending might be happening.

W-S startup Salem Cyber, promising ‘a paradigm shift’ in cybersecurity, raises $250K seed round

2. Manage

Once they identify shadow IT issues, businesses need to determine if the technology and expense will be managed by the business unit or by the IT department.

Interviews should be conducted with a cross-section of users to find out why they are using unauthorized personal devices, software, or cloud services in their workplace.

If it’s decided that the technology will be kept with the business unit, they will be responsible for the expense and be managing that technology in alignment with the IT department now that it has visibility.

Inside Belgium cybersecurity firm’s decision to open first US office at Centennial Campus

3. Create controls and policy

Businesses should implement controls, both technical and policy-based, to address shadow IT problems once identified. Policy enforcement is key – however, the more policies a company has, and the more complex they are, the more time and energy it will take to enforce them properly. This means that the key to effective policy enforcement is to implement the minimum number of simple, easy-to-manage policies needed to meet the objective.

It is imperative for IT teams to create best practices for how employees should use external products, and policies should be implemented before deploying new technology. Educating employees on approved and already available solutions can also help them make better decisions around the software and services they need to be productive.

IBM offers $5M in cybersecurity program grtants for schools – here’s how to apply

A strong connection

Shadow IT brings the danger of the unknown. And if each department keeps adding technologies or services without IT’s knowledge, this will leave a company more and more exposed. Decentralization causes a greater lack of visibility into what assets are owned, what applications are being accessed and what connectivity services are in or out of contract.

While shadow IT can be a complex challenge to address, there are resources that NC companies can use to overcome the issue and the decentralization caused by the digital transition. Working with an experienced managed service partner  (MSP) can help IT teams take on the process of getting an accurate snapshot of their own technology environment—instilling the tools needed to automate the tech landscape through integrations with HR, operations and finance teams.

Whether businesses have internal resources to handle shadow IT or work with a service partner, it’s a timely topic to consider now as IT teams build strategies looking past the pandemic. As digital transformation continues, companies can rest easier knowing what’s in the shadow can be brought to light.