What is a Shadow System in IT or Shadow IT, Some Examples and Risks

Shadow IT Technology

What is a Shadow System in IT, or Shadow IT?

A "Shadow System" in IT is a term used to describe solutions and systems created and applied inside organizations without their authorization, thus the alternate name of "Shadow IT". While they may not be authorized and can pose security risks, these solutions can aid in the development of new IT solutions.

Shadow IT was created as a result of impatience by employees who wanted fast access to hardware, software or web services without complying with company regulations or protocol—employing third-party software and hardware to accomplish tasks where the organization's in-house IT fell short. In a way, this can actually increase productivity.

However, as technology has grown and advanced, so has the definition of Shadow IT. Today, it includes personal technology and specific third-party technology that helps a person's department—circumventing corporate IT.

What are some examples of Shadow Systems in IT?

Some examples of Shadow IT technology include the following:

  • Personal devices such as smartphones
  • USB drives
  • Web apps such as Google Docs
  • Instant messaging
  • Third-party video chat services

What are the biggest Shadow IT risks?

The following are some of the larger concerns with regard to shadow systems employees might use:

  • Unsupported hardware and software can pose security risks, as it is not subject to corporate security protocol. Other complaints include the use of company bandwidth that creates conflict between the network and application protocols. Another issue can arise when employees store corporate data in their personal accounts.
  • Some fear the creation of data silos, and argue that these will hinder the free flow of data throughout the company. Proponents of Shadow IT believe that it is something to be embraced because of the potential benefits, as long as it is properly regulated.
  • In addition to Shadow IT, there exists another but related security threat: Shadow Data. With the public cloud comes an incredibly high volume of data transfer. Some of this data is particularly sensitive, including personal, credit card and healthcare information. With so much sensitive data being transferred, it is difficult for organizations to create and enforce data compliance policies.
  • According to Imperva Incapsula, an online application provider, one of the main threats concerning the use of cloud apps is data theft. Taking a closer look, data theft is occurring in a number of ways, including anomalous frequent emails sent, frequent sharing, frequent downloads, and frequent previews. The last item in this list gives credence to the idea that users are taking screenshots of sensitive data.


Symantec, a company that provides software for security, backup and data storage, offers organizations a solution to mitigate such threats. Its CloudSOC Audit software allows executives to oversee, manage and control the use of cloud apps within their organizations. They can assess the applications, sanction those that comply with business regulations and control the use of those that do not.

Ensuring data security is a top priority for any IT department. Cloud computing makes data sharing and transfer easy, yet technological advancement comes with responsibility. While Shadow IT can pose a significant security risk, it is important to note that when properly regulated, the benefits of using third-party, or "unapproved" hardware and software can help your organization solve problems more quickly and with greater ease.