Shadow IT lurks to undermine company security right under the noses of its IT operatives.
You’ve probably heard about bringing your own device (BYOD) policies, which allow employees to use their personal devices for work purposes. Despite being “foreign” media to an internal system, they are still heavily managed and are critical to maintaining the integrity of the internal systems of the businesses that operate them.
This is often disliked by BYOD participants due to perceptions of privacy intrusion, among other reasons, so the less enthused ones figure: “What my IT people don’t know won’t hurt them.” Ignorant of company policy, employees start accessing business networks with unvetted devices, thinking nothing of the inevitable repercussions.
These devices are called “shadow IT,” a security blind spot for many organizations.
Key points of this article:
- Shadow IT is a multifaceted concern facing businesses of all sizes, even in BYOD-enabled environments.
- Unsupervised devices and solutions represent likely security risks that can result in stealthy incidents.
- Still, shadow IT can also be beneficial in introducing new technologies, tech use cases, unlocking better productivity, and highlighting security gaps.
Into the abyss
Shadow IT represents more than your common household laptops connected to company networks. In truth, the term can encompass several different device types, and even software solutions or services, such as cloud repositories or generative AI assistants that have been deemed “okay” to use by random employees without them asking for permission.
According to Cisco, nearly 80% of end users utilize software not cleared by IT. Moreover, 83% of IT staff use unsanctioned software or services.
Why? The reasons are multifaceted. Regular employees might find that company-vetted solutions aren’t flexible enough to help them achieve their productivity gains. Asking for permission to use industry-recognized free software, for example, might seem cumbersome.
Similarly, IT professionals could feel like their current tools aren’t up to par with what’s needed to make their jobs more effective. This is also coupled to the BYOD example in the intro — device management could seem overbearing to some, who might fear for their privacy.
A study from 2023 showed that as many as 69% of employees bypassed cybersecurity guidance, with 74% willing to bypass guidance to help them achieve a business objective.
However, behind every single risk management policy lies a reason why it exists. Unvetted devices could pose security risks, as their protection is unlikely to meet company standards.
At the same time, shadow IT can translate to costs beyond a company’s regular budgeting, reportedly accounting for around 50% of IT spending in large enterprises. As these expenses are not part of regular annual budgeting, they’re likely to be unnecessary costs.
Shadow of the day
Typically, organizations use multiple solutions or services to protect work devices. They use ESET Endpoint Security with something like ESET Inspect on top to better visualize and control their posture, while also using ESET Mobile Threat Defence on work phones.
This results in a secure environment, in which malicious activity is easily picked up by these solutions checking for discrepancies related to existing rules or behavior that’s out of the ordinary, such as an employee installing a signed vulnerable driver (in the worst case signifying the presence of an EDR killer).
Unsanctioned devices have none of this: no automatic vulnerability patching, almost zero defense against advanced threats due to nonexistent SOC access, and an open season on company data for any willing threat actor.
What’s more, shadow IT is also a compliance problem, as unmonitored apps/devices are likely to be omitted during compulsory audits for insurance or regulatory reporting.
The latter is specifically a big shadow IT issue as it doesn’t take much for an employee to transfer company documents to a personal USB drive, upload it to their personal cloud, or, in a worst-case scenario, introduce malware into company networks through a compromised device. With such possibilities, the likelihood of an incident creeping up on IT personnel grows to complete certainty.
According to the 2025 IBM Cost of a Data Breach Report, shadow AI services are to blame for as much as 20% of security incidents, raising breach costs by $670,000, and also result in the compromise of intellectual property and personal information.
Light and shadow
However, shadow IT isn’t something to be written off completely. While it’s certainly a risk factor, it does have some benefits, such as:
- Productivity gains: Seekers of better efficiencies and productivity might find these within their unsanctioned products in use.
- Highlighting tech gaps: Perhaps the available tools are really lacking, and individual choices made by employees can inform company IT of the right alternatives.
- Costs: Let’s be honest, everything’s expensive these days. Computers, phone, SaaS…and the costs just keep rising. By not having to commit to increased purchasing, companies can save on costs in the long run.
- Better security monitoring: By introducing new objects into a business environment, the security personnel can get a better understanding of how to manage external risk, and in this case, get a better grip on what is or isn’t risky employee behavior.
Against the shadow
A problem with shadow IT is that it’s difficult to assess its extent within an organization.
Due to the sheer number of devices and programs likely in use, it’s almost impossible to audit them. Almost. For software installed on work computers, it might be easier due to them having already been inoculated with remote management or attentive security software, but for rogue devices it’s likely a bit more complicated.
Smart companies tackle this vector through network segmentation (such as guest Wi-Fis) and access management (requiring a protected VPN to access internal servers), but this doesn’t exactly stop people from copying or sending files to unauthorized spaces, which is another risk multiplier. Thus, prevention needs to be put first.
Out of the shadow
To combat shadow IT while addressing employee productivity, businesses should:
- Enforce internal policies: By clearly communicating expectations from IT’s side, including potential penalties, businesses can increase employee awareness while reducing their liabilities.
- Focus on security awareness: Cybersecurity awareness trainings should explain the risks associated with unvetted devices or apps, tackling shadow IT as a pivotal point.
- Survey employee sentiment: It’s likely that employees have valid reasons for using shadow IT. Survey employee attitudes to detail their experience and assess any opportunities for a better ROI related to product use.
- Fine-tune their monitoring: No active monitoring agent installed on a shadow device? No problem. If these employees connect to company networks, simply scan your network activity and traffic to account for suspicious behavior. For potentially unwanted apps or services, either an installed security agent or a monitoring tool can be of great help.
Expert tips & insights
For years, employees have used unsanctioned tools – known as shadow IT – to bypass bureaucracy and slow internal processes that delay technology adoption. While seeking out new solutions to improve productivity, this approach often introduces hidden risks into the organization’s environment that overburdened IT and security teams cannot hope to cover. The frequent introduction of new, powerful, and user-friendly AI tools has supercharged this trend, leaving organizations struggling to identify and manage the unknown threats built into their products and infrastructure.
Only time will reveal the true impact of shadow IT and shadow AI on processes, productivity, data privacy, security, and product quality. One area of particular concern is software products, where AI-generated code and practices like “vibe coding” may (re)introduce insecure designs and vulnerabilities rooted in the poor programming habits present in AI training data. While shadow IT can drive innovation, if not properly managed, it can become a liability, potentially leading to serious incidents or, in the worst-case scenario, catastrophic organizational failure.
- Ondrej Kubovič, ESET Security Awareness Specialist
Breaking dawn
Is shadow IT a problem? It depends on one’s perspective. While it is a risk factor that multiplies the chances of data exposure, or of a compromise, there’s also a positive side. It probably wouldn’t make sense to outlaw all shadow apps, but turning their use around into better decision-making surrounding device or software procurement, as well as internal policies regarding BYOD, for example, would make a case for its continued relevance.
