Opportunities and risks of shadow IT

During the pandemic, many companies ignored the risks of shadow IT, especially for those using VPN networks.

Lately, the issue of shadow IT – using apps, devices, and services without approval from the company's IT department – has been somewhat overlooked. However, if shadow IT has security flaws and cybercriminals exploit it to spread malware, it can become a nightmare for IT professionals.

Why employees are increasingly turning to shadow IT

The problem is still unresolved, despite differing opinions from some observers. For instance, Gartner, a market research company, anticipates a significant increase in the number of unauthorized solutions within companies in the coming years. In 2022, 41 % of employees in companies had already obtained, modified, or developed technologies that were outside the control of their IT departments. By 2027, Gartner predicts that this figure will rise even further to around 75 %, highlighting the urgent need for action.

Gartner recommends that companies shift their focus from the usual emphasis on technology and automation to paying more attention to their employees. This shift is crucial for influencing their decision-making and ensuring they have the required knowledge to act responsibly. Redesigning cybersecurity models used by companies is essential for the forthcoming changes, underlining the importance of this shift.

Advantages and disadvantages of shadow IT

Shadow IT isn't necessarily a negative trend. For instance, last year, Capterra, an online marketplace for enterprise software, conducted a study with over 300 IT managers in small and medium-sized companies to delve deeper into the impact of shadow IT in these organizations.

Capterra employee Olivia Montgomery notes in her evaluation of the findings that shadow IT often presents a threat to a company's IT security. However, it can also generate valuable opportunities, from employees downloading and using a video conferencing tool without the IT department's knowledge to the development and use of custom databases containing customer data that haven't been officially authorized.

The majority of respondents, specifically 98%, believe that their company's use of shadow IT will lead to long-term benefits. According to 54% of IT managers, employee satisfaction has increased as a result, while 51% have reported time savings and roughly 80% have experienced positive financial effects.

However, there are many short-term drawbacks, with 89% of respondents mentioning additional costs or the need to purchase replacement solutions. An astounding 91% of the same group expressed dissatisfaction with the high level of effort required to integrate unauthorized solutions into the official IT infrastructure. Additionally, over three-quarters of respondents (76%) stated that shadow IT has created medium to severe security risks. This is the sticking point for many observers.

Shadow IT poses serious risks from a security point of view:

  • Lack of control over security updates: If the IT department lacks access to applications, devices, or services, they cannot guarantee the timely installation of security patches. This rapidly creates new, sometimes serious security vulnerabilities that enable hackers or malware to exploit internal systems.
  • Unauthorized access to confidential data: Many employees use unauthorized devices or applications to access confidential data. As a result, the IT department loses control over what happens to this sensitive data. In addition to unauthorized access, there is also the risk of undetected manipulation of business data.

This highlights how the presence of shadow IT makes it more challenging for companies to comply with regulatory requirements. This is particularly relevant for companies whose employees access internal resources remotely through virtual private networks (VPNs). This often occurred during the start of the pandemic as employees used their own devices due to the lack of availability of approved hardware and software.

How virtual private networks secure shadow IT

VPN solutions need to meet essential requirements to protect companies from the risk of shadow IT. They must provide more than just maximum security for data transmission. VPN solutions should also be able to integrate remote applications, devices, and services into the company's security strategy through endpoint policy controls. This necessitates not only central management but also convenient configuration options.

Secure Enterprise Management, developed by NCP, takes care of software and configuration updates, user, license, and certificate management, as well as fully automated user login.

Fully automated identity management for mobile users can be introduced through direct integration with most existing directory services such as LDAP or Active Directory. Parameter locks and configuration profiles also minimize security risks that could be caused by end users.

Further benefits:

  • Two-factor authentication with one-time passwords (OTPs)
  • Integrated RADIUS server
  • Policy enforcement
  • Network access control (NAC)

Client software must be installed on employee devices to access the network. The software checks compliance with the security policies and can deny remote access to central servers if an issue is detected. It can also check the versions of the operating system, VPN client, and other software. Endpoint security checks also check that up-to-date antivirus software is installed and that required certificates are installed. 

If these policy checks are not satisfactorily fulfilled, access to the company’s network may be restricted or blocked. This significantly reduces the risk associated with shadow IT. Features such as the optional "Home Zone", in which employees can use their own printers without violating security regulations, also provide additional convenience.

Learn more about endpoint security and building secure remote access environments. Read our data sheet for a deeper dive into NCP Secure Enterprise Management.

Download the data sheet now