12-November-2019, min readtime

These are the four most important causes of shadow IT (and how to resolve them)

An important element in monitoring the network security in a company is knowing what your risks are. You can then take appropriate measures to mitigate them. But what if those risks are entirely invisible to you? Then as an IT manager or company, you have a problem. Shadow IT causes many unknown risks. Because it involves applications that fall outside the purview of the IT department, you have no control and can be exposed to serious threats. In this blog, you can read about the most important causes of shadow IT and how you can deal with them.

Because shadow IT falls outside the purview of the IT department, you have no control and can be exposed to serious threats.

Daan Keuper, Security Specialist bij Computest

Shadow IT does not lend itself to imposing a company's security requirements, such as installing security updates, and it represents an ideal weak spot for an attacker to gain access to sensitive data stored in the shadow IT applications – or even to access the company network.

The most common causes of shadow IT

In practice, we most commonly see the following causes of shadow IT:

1. Systems are set up outside the IT department

This is by far the most common cause of shadow IT. People don't want to wait for IT or believe they can do just fine without an IT department. After all, there are numerous accessible tools available for various purposes. However, those implementing them often don't realise that these tools can endanger the security of the company. An example might be a marketer who has a campaign website developed and hosted by third party on which customer data are processed. There is no one keeping track of this site and no security checks are built in. There is a real risk that the security of the customer data which are processed on the platform does not meet the company's requirements. Moreover, after a campaign has finished, attention switches from the site and no one thinks about the customer data stored in the linked database.

2. Legacy systems are forgotten

It's not just employees outside the IT department who cause shadow IT. IT staff can also inadvertently contribute to it. For instance, systems that were configured by a system administrator in the past can also be forgotten. For example, a test server that never got disconnected from the network but does not receive updates and is not monitored. If there is a vulnerability, it wouldn't occur to anyone that it might be in this system. Particularly if the system administrator in question has since left the company.

3. Responsibility for digital systems does not lie with IT

Over the years, many systems that are typically managed by an installer have become part of the company network.

These days, security cameras and climate control systems are part of the company network. A big risk, because they are often not covered by a security policy and they are completely invisible to the IT department.

Daan Keuper, Security Specialist bij Computest

Examples are security cameras and climate control systems, but also large structures such as locks. Where previously installers performed on-site maintenance on them, now they do that online. However, they often have insufficient knowledge of the risks involved and there is no security policy for these applications. Moreover, they are completely invisible to the IT department, so this is logically a risk for the organisation.


It might seem like a thing of the past, but employees still regularly work on private devices like laptops. Or they may temporarily connect an IoT application such as an IP camera, without being aware of the risks that entails. For example, there is no guarantee that these laptops or cameras are free of malware, or that business data is not being saved to the device itself. In the latter case, if the device is stolen, sensitive data can quickly find its way into the public realm.

How do you get your shadow IT under control?

Anyone who thinks shadow IT can be avoided is mistaken. There will always be systems the IT department does not know about. However, there are three steps you can take to reduce shadow IT and make your IT infrastructure more secure.

1. Increase security awareness

Employees almost never knowingly endanger the security of a company. They often simply lack the knowledge about the risks and what behaviour exacerbates specific risks. So make sure people are made more aware of the risks and know what they can do to limit them. Also give them concrete tips: for example, on the smart use of passwords. Or why they should install the latest updates as soon as possible. And how they can establish whether a campaign website is safe.

2. Evaluate your security policy

Every company has some form of security policy, along with associated processes. Check whether your requirements of these processes are proportionate to the potential risks the company is running. If you initiate measures that seem pointless to employees, you are practically inviting them to work around them and find different solutions (which almost certainly won't meet your security standards). In addition, make clear what the rationale is for particular rules and requirements so that people understand why it is important to adhere to them.

3. Continuously shine a light on your shadow IT

This seems like an impossible task – after all, there's a reason it's called shadow IT. However, with a tool like Marvin_, you can continuously scan your external and internal network so that unknown systems and devices come to the surface. Via a dashboard, Marvin_ gives you a daily picture of the security of your online environment. Moreover, the results of the scan are also manually filtered by a security specialist, who will attach professional recommendations to them. In this way, you can be sure a shadow IT application can never exist for long.

This website works best with JavaScript enabled