Shadow IT: A Managerial, Technological, and Cultural Challenge in the Era of Digital Work.

A comprehensive review of the managerial challenge of Shadow IT as the use of unapproved technologies in the organization, causes and examples of failures and examination of the implications, international comparison, examination of the roles of the CIO, CISO, senior management and the board of directors as well as organizational ways of dealing with Shadow IT: enforcement, training, BYOD and monitoring and proposal of a managerial strategy for dealing with Shadow IT in the organization.

For a concise review, visit the link.

In the current era of digital transformation and hybrid work, organizations are facing a widespread phenomenon of using digital tools and technologies that are not approved by the organization's IT department. This phenomenon, known as "Shadow IT", is receiving growing attention due to its significant impacts on technology management, information security, and organizational conduct. Studies indicate that a significant portion of employees worldwide use at least one external tool for work purposes without receiving approval for it [1]. For example, one report found that nearly half of employees (42%) use private email accounts for work, more than a third use instant messaging platforms or personal cloud storage services for professional purposes [2]. The COVID-19 pandemic and remote work also contributed to the expansion of the phenomenon: organizations reported an acceleration in the adoption of cloud digital tools and an increase in associated security risks during the transition to hybrid work [3]. In light of the broad scope of the phenomenon and the potential risks accompanying it – from leakage of sensitive information to damage to managerial control – the need for deep understanding and formulation of an appropriate organizational response is growing. In this article, we will present a comprehensive review of the Shadow IT phenomenon from different angles: technology management, information security, organizational behavior and digital culture, while relying on academic literature and findings from up-to-date studies from around the world and from Israel. We will conclude with a proposal for a managerial strategy for effective coping with the phenomenon, alongside conclusions and practical recommendations for managers.

Definition of Shadow IT and the Context of the Hybrid Work World

Shadow IT is a term referring to the use of systems, software, applications or hardware devices within an organizational framework without approval or supervision from the official IT department [1]. In fact, these are computing tools that are “in the shadows” of the organization - some of them even integrate into work processes - but are not known to the IT array or are not under their management and support. In the classic definition: "Shadow IT is an addition to official IT in the form of systems and autonomous units developed and operated in business departments, without the knowledge, support or approval of the IT department"* [1]. This phenomenon overlaps with additional terms such as "private/hidden IT" and "Feral IT", although in the world of research and practice the use of the term Shadow IT has become established due to its relative neutrality [1].

The transition to remote work and the expansion of the hybrid model in recent years have intensified the Shadow IT phenomenon. When employees are spread outside the company offices, often at home, the tendency to rely on personal tools and available cloud services to complete daily tasks increases [1]. Employees brought with them to the digital workspace habits and technologies they used in their private lives, and at the same time customers and business partners began inviting employees to use their preferred platforms [1]. The hybrid work environment characterized by spatial flexibility and high internet availability from anywhere has created a reality in which employees can easily bypass organizational restrictions: any employee with an internet connection can independently register for any SaaS (Software as a Service) service or use an application without special technical difficulty [3]. The high availability of cloud solutions (SaaS, as well as cloud infrastructure and platforms) has reduced dependence on the IT department for deployment and implementation of software tools, thereby **lowering the threshold** for Shadow IT penetration into the organization [4]. In other words, the hybrid and cloud world has created fertile ground for the expansion of the Shadow IT phenomenon: employees outside the range of direct supervision, high accessibility to technologies, and the need to quickly adapt work tools - all these combined to increase the use of unapproved tools within organizations.

It is important to emphasize that Shadow IT can include a wide variety of means: from cloud software and network services, through mobile applications, to personal hardware devices connected to the organizational network. The common emphasis is bypassing official mechanisms - those Shadow IT tools are not subject to the organization's IT policy, routine security updates or control and ongoing support processes. In the continuation, we will examine up-to-date research findings that demonstrate how common the phenomenon is, what drives it, and what risks and implications it brings with it.

Literature Review and Recent Studies

The Shadow IT phenomenon has been academically researched for over a decade, with a significant increase in researchers' interest starting from 2010 onward [1]. Comprehensive literature reviews published in recent years paint a rich picture of the accumulating body of knowledge. For example, Klotz and colleagues (2019) reviewed 126 articles dealing with Shadow IT until 2017, emphasizing the wide variety of types of unofficial systems, while relying on a taxonomy proposed by Kopper (2016) [1]. Another systematic review by Raković (2020) analyzed about 90 articles, with special emphasis on the managerial issues raised by the phenomenon and on different coping strategies. These and other reviews indicate that the academic literature examines Shadow IT from a variety of aspects: factors in the appearance and adoption of Shadow IT, the potential risks and benefits, and governance approaches and policies for dealing with it.

Scope of the Phenomenon

Recent studies confirm that Shadow IT is a very common phenomenon in organizations. International surveys show that most employees admit to some use of external IT tools for their work. According to a survey by Gigacom, 81% of employees across organizations (Line-of-business employees) reported using SaaS services without approval. A similar figure emerged in a study by PMG in the US, which reported as early as 2014 that 53% of IT personnel believe that all organizational departments "rely heavily" on some unauthorized technologies. Another study reports that about 80% of employees worldwide use at least one application not approved by IT - a clear indication that this is not isolated extreme cases but a prevalent norm. In Israel too, the data point to a similar trend. A survey of technology managers in organizations (research conducted for the Israeli startup Torii in December 2021–January 2022) found that 69% of technology managers see Shadow IT as a top-priority security concern when it comes to adopting cloud applications (SaaS). Most respondents in that survey admitted that they had to make exceptions to their organization's cloud application security policy, and in 80% of cases the reason for the exception was adoption of applications by employees outside the framework of the IT team's activity. These findings show that Shadow IT is not a rare scenario but a daily reality even in well-managed organizations.

New Trends in Research

Recent academic research is also beginning to address new sub-phenomena, such as "Shadow AI" - the use of artificial intelligence tools (for example, ChatGPT interfaces) without organizational supervision or approval. A global survey conducted in 2023 found that 55% of employees admitted to using generative AI tools at work without approval, a matter that raises new concern among information security managers due to the risk of sensitive information leaking to external systems. Leading organizations even took countermeasures: for example, at Samsung it was discovered that developers entered secret source code into ChatGPT, which forced the company to immediately restrict access to this tool for fear of exposing trade secrets. This example illustrates how the tendency for "shadow adoption" is expanding to new technologies as well, and emphasizes the ongoing challenge of the organization to keep pace with technological renewal while ensuring proper control regime.

Profile of Shadow IT Users

Studies and surveys provide insights into which groups of employees are particularly prone to adopting Shadow IT. A recurring finding is that younger generations in the workforce are more likely to bypass official IT systems: for example, a 2023 Beezy survey found that 54% of millennial employees (born in the 80s–90s) reported using unapproved tools, compared to ~38% in Generation X and 33% in Generation Z. Older generation (baby boomers) were the most conservative – only about 15% of them reported Shadow IT. At the same time, it is possible that younger generations are also simply less aware of policy: a global survey for HP (2021) showed that 39% of young employees (ages 18–24) are not sure what the organization's information security policy is, and half of them believe that "meeting deadlines is more important than complying with security policy". Moreover, 31% of young employees in that survey admitted that they actively tried to bypass the company's security measures to achieve their work goals. These data reinforce the understanding that the phenomenon is driven not only by technology availability but also by attitudes and behaviors of employees, especially young ones, who often see security rules as burdensome that hinders their work. Accordingly, part of the developing academic research focuses on aspects of organizational behavior and culture: what are the psychological and organizational motives for using Shadow IT, and what justifications do employees give themselves for choosing to deviate from IT policy (for example, justifications of "need to finish the task on time, even at the cost of bypassing the rules").

Israel vs. the World

In Israel, the Shadow IT phenomenon has received attention in recent years also among the IT and cyber community. Alongside the Torii survey (2022) mentioned above, which refers mostly to the global market, it can be noted that in the Israeli high-tech sector - known for its entrepreneurial and agile approach - there is a certain openness to rapid adoption of new tools, which sometimes occurs from the bottom up by employees even before the tool was officially implemented. However, as of the writing of these lines, no dedicated quantitative data regarding Israel beyond the global surveys have been published. It can be said cautiously that the picture in Israel is similar to that in the US and Europe: Shadow IT is particularly common in technology, finance and professional services sectors, where employees tend to be technologically proficient and feel comfortable improvising solutions independently. On the other hand, in the public sector and in traditional organizations, organizational conservatism may somewhat reduce the scope of the phenomenon – but even there it certainly exists, for example widespread use of WhatsApp for internal communication in government ministries and government companies, despite the risks and lack of supervision. An article in TheMarker mentioned a case in which a legal petition demanded to reveal work correspondence that took place in the WhatsApp application between a government minister and a civil servant, which raised legal questions regarding transparency and preservation of official records in the era of informal communication channels. This example illustrates how in Israel - like in the world – considerations of convenience and availability sometimes prevail over regulatory or security considerations, and the boundaries between personal and accepted tools blur.

To summarize the literature review, the recent studies illustrate the centrality of the phenomenon: Shadow IT is a real and ongoing challenge, researched both by academia and by industry bodies. In the next part, we will examine common concrete examples of Shadow IT, in order to illustrate in practice how this phenomenon manifests in organizational day-to-day.

Common Examples of the Shadow IT Phenomenon

Shadow IT manifests in a wide variety of tools and daily actions of employees. Prominent examples include: using private email boxes (such as Gmail, Yahoo) for work purposes instead of the organizational email account; storing and sharing files through personal cloud services such as Dropbox, Google Drive or private OneDrive, instead of using the company's approved file management system; using external task and project management tools like Trello or Asana without IT knowledge; and adopting private messaging and communication platforms such as WhatsApp, Telegram, Signal, Slack or Zoom in private accounts, for communication with colleagues and customers. In fact, one survey found that 38% of employees communicate on work matters through unapproved personal instant messaging applications (such as WhatsApp), and ~35% use video conferencing or cloud storage tools that are not on the organization's approved tools list. Even local office tools can become Shadow IT if their use deviates from procedures - a well-known example is the employee who uses a personal Excel sheet as a database for managing business information instead of using the dedicated organizational system, thereby creating a private information "island".

In addition to software and cloud services, it should be remembered that Shadow IT also includes physical devices and hardware means. A simple example is using a Disk-on-Key or personal USB drive to transfer sensitive files between computers, outside the organizational monitoring system. In terms of hardware, Shadow IT can also manifest in an employee connecting private devices (such as tablets, printers or web cameras) to the company network without coordination - any such "foreign" hardware may be considered Shadow IT equipment because it has not undergone the IT compatibility and security checks.

It is important to emphasize that adopting these tools is not always done with deliberate intention to violate the rules. Many times Shadow IT starts in an "innocent" way – an employee encounters a real need and does not find a quick or satisfactory response in the formal systems, and therefore turns to a tool available that is familiar to him from outside work. For example, when needing to send a large file and there is no secure FTP solution from the organization at hand, the employee may upload the file to a private Google Drive and share a link with his colleagues. From his point of view, this is a legitimate productive legitimate action - "I had a task and I had to finish it, it was the fastest and most convenient" - but from the organization's point of view this is a deviation that endangers the company's control over the data.

In many cases, Shadow IT tools become embedded in the work routine without anyone "raising a red flag". For example, a small marketing team may start using a free graphic design software from the internet due to ease of use, or a human resources department that manages Excel lists in a private cloud to track candidates, instead of in the official recruitment system. Such patterns can become entrenched and become an integral part of business processes, and then it is even harder to detect and eradicate them. As one report describes it: Shadow IT applications "are part of the company's technological toolbox but are not known to the IT and security teams, and therefore are not approved by them – thereby exposing the companies to significant risks". This is especially true in an environment where employees purchase cloud software themselves: in that Pulse/Torii survey, 52% of respondents reported that employees in their organization tend to purchase and install SaaS applications independently without informing the IT department, and 36% noted that even business managers sometimes do so. This figure explains why in many organizations, the list of software actually in use is infinitely longer than the list of software officially known to the IT department.

In summary, Shadow IT examples cover a wide range: from Google calculators that replace finance systems, WhatsApp groups instead of email or secure chat, personal Google Docs documents instead of organizational file servers, and so on. In the next part we will analyze why these phenomena occur - what are the factors driving employees and business units to bypass the institutionalized IT systems.

Driving Factors for the Shadow IT Phenomenon

Analysis of the reasons and incentives for the rise of Shadow IT points to a combination of technological, organizational and cultural factors. The following are the main reasons, as emerging from studies and surveys, why employees turn to unapproved tools:

  • Technological Gaps and Inadequate IT Tools:

One of the central drivers is a feeling of dissatisfaction with the technological tools provided by the organization. When the official systems do not fully meet the users' needs – for example, slowness, outdated interface, missing functions – employees look for more efficient alternatives. In a global survey conducted in 2023, it was found that only 42% of employees are completely satisfied with the digital work tools that the company makes available to them. In fact, most employees (58%) reported dissatisfaction with the level of existing technology, when Generation Z and Y in particular found the organizational tools "frustrating, broken or unreliable". Poor user experience in internal tools pushes employees to adopt external tools in which they have better control or are perceived as more modern and convenient. The research also teaches about duplications: in many cases organizations suffer from multiple systems with similar roles, among other things because employees adopted alternative tools on their own initiative. For example, it was observed that 39% of marketing personnel in organizations see inefficiency because of "duplicate applications" – that is, using more than one tool for the same purpose in parallel, sometimes one official and sometimes "in the shadows". Such duplications indicate that the official tool does not always fit exactly the needs of all users, which causes different departments to look for alternatives.

  • Speed and Availability vs. Bureaucracy (Time Pressures):

The culture of the internet and software as a service has created an expectation for immediate availability of solutions. In a competitive business world, pressure to meet schedules and respond quickly can cause employees to give up protocol. According to HP research (2021), 91% of teams in organizations feel pressure to prefer business continuity and output over security considerations. When an urgent task is on the agenda, the employee faces a dilemma: wait (perhaps days or weeks) until the IT unit approves or provides a suitable tool – or find an independent solution here and now. Not surprisingly, most choose the second option. Moreover, the formal authorization procedure for a new tool may include prolonged bureaucracy (forms, committees, compatibility and security tests), while independent registration for an online service can provide a solution within minutes. This fact led to 38% of employees identified in one survey explaining that what motivated them to use Shadow IT was the slow response time of the IT department – prolongation of support and approval processes, which created frustration and pushed them to faster solutions.

  • Organizational Culture and Risk Tolerance:

Organizational culture significantly influences the scope of Shadow IT. In organizations characterized by internal innovation and entrepreneurship, where employees are encouraged to "do what is needed" to achieve results, the tendency to use independent tools is higher. In contrast, in organizations with a hierarchical and conservative culture, employees may hesitate more to deviate from procedures. However, even in organizations with high awareness of security, reality shows that it is difficult to completely eradicate the phenomenon. A Capterra report from 2023 found that in 37% of organizations there is no clarity regarding the consequences that will be imposed on employees if they violate IT policy and use unapproved tools. Lack of clear enforcement or concrete punishment creates implicit tolerance for the phenomenon. In addition, when the senior management itself does not adhere - for example, senior managers who use private applications or bypass the IT - a "quiet legitimacy" is created that passes to the middle ranks as well.

  • Lack of Awareness and Poor Education:

Some employees are simply unaware that they are violating the organization's policy or what the risks involved are. As mentioned, a significant proportion of young employees admit that they are not familiar in depth with the information security procedures of the company. In the absence of training, it is possible that an employee will not understand, for example, that using a free cloud storage service may have regulatory implications (such as violating privacy protection regulations). In addition, there are those who see IT policy as suppressing innovation: in one survey 48% of young employees claimed that the current information security policy "hinders them from working efficiently". When such a perception is prevalent, employees convince themselves that using an unapproved tool is tolerable, if not entirely proper. There is also a phenomenon of personal habits - employees who arrive at the organization with a preferred set of tools they use in their private lives (for example, a task noting application on the phone), will tend to continue using them at work out of convenience and habit, without thinking about approvals.

  • The Hybrid Work World and Distance from the IT Team:

As mentioned, remote work makes it difficult to provide close technical support to every employee. In a survey conducted among IT managers in 2022, 39% of them testified that for them providing support to remote employees is the biggest challenge. The meaning is that an employee at home who encounters a problem or technological need, many times will prefer to "solve it himself" in any way that seems to him, rather than go through a remote support center. In addition, some home-office employees work on personal devices (BYOD) in which they have full freedom to install applications. The BYOD (Bring Your Own Device) model blurs boundaries between the work environment and the private environment, and when the device is in the employee's hands – the organization's control over what is done on it is reduced. The pressures of personal and work life that mix in the hybrid model can also contribute: for example, an employee who uses his home computer for work purposes as well may install software to help his children with studies, and then use it also for work-related tasks, without any approval.

Additional driving factors identified in studies include the desire to exploit free or cheap versions of software (instead of purchasing an expensive official license through the organization), as well as cases of deliberate disregard due to excessive trust. There are employees (and even managers) who believe that "the risk is not great" or "it won't happen to me", and therefore see no problem in bypassing security instructions. Interestingly, in the positive aspect, 77% of IT team members themselves admitted that they see potential value in proactively adopting Shadow IT - that is, recognizing the tools that employees bring, and implementing them if they improve productivity [2]. This position hints that some technology leaders recognize that the motivation for Shadow IT is not malicious but stems from the desire to be productive and innovative, and that perhaps instead of only fighting it there is room to learn from it.

In light of the variety of these motives, it is no wonder that the phenomenon crosses organizations and borders. However, studies point to the fact that there are behavioral differences and differences in awareness between different geographical areas. In the next part we will briefly compare common behaviors and the approach to the phenomenon in different countries and regions - Israel, USA, Europe and Asia.

Comparison between Countries and Cultures: Israel, USA, Europe, Asia

Shadow IT is a global phenomenon, but its scope and form of appearance vary between different cultures and organizations. International surveys allow a glimpse into interesting regional differences:

  • Asia:

Several studies indicate that in many Asian countries there is particularly high prevalence of using unapproved technologies. For example, in a 2022 global report by KnowBe4, which examined employee risk behaviors, it was found that more than half of employees in the Asia region (over 50%) reported that using unapproved file sharing services is "accepted practice" in their organization* [5]. This figure is significantly higher than the rest of the regions in the world. Asian countries are also documented as leading in the use of instant messaging tools for work purposes – platforms like WeChat, LINE and WhatsApp are integrated in small and large businesses, often unofficially. It is possible that the combination of business cultures focused on personal connection, together with the enormous availability of local technological solutions, leads to employees feeling comfortable adopting applications independently for work needs.

  • North America (USA):

In the US and Canada, awareness of information security is traditionally high, but this does not prevent the phenomenon but only places it in an open discourse. Surveys indicate that in North America the rate of employees reporting Shadow IT use is medium – for example, about 28% of employees in North America answered that it is "normal" in their organization to use unapproved cloud services [5a] [5b]. In other words, one third of employees in North America report such a practice, a percentage lower than Asia but significantly higher than "zero tolerance". The approach in the US is often split: on the one hand, many companies adopt a strict policy (there are even extreme examples – for example, the US House of Representatives banned its employees from using the WhatsApp application on their work devices, due to security concerns [6]. On the other hand, the culture of innovation in Silicon Valley and other places encourages "doing what is needed", and historically not a few organizational IT solutions started as Shadow IT tools that were introduced by employees and adopted retroactively officially. In many American organizations, especially in Fortune 500, the use of advanced tools for monitoring and managing Shadow IT (such as CASB -Cloud Access Security Brokers) is common today, out of recognition that it is impossible to rely only on prohibitions.

  • Europe:

In Europe there is a great emphasis on privacy regulations and compliance with the law (for example GDPR), which affects the attitude of organizations to Shadow IT. Western European countries (such as Germany, France and Britain) are also influenced by an organizational culture that tends to be more planned and cautious compared to the US. In surveys, Europe presents relatively low rates- about 25% of employees report regular use of unauthorized cloud [5], similar to North America. However, it is important to note the intra-European differences: for example, companies in Northern Europe are known to be more strict regarding compliance and therefore may invest efforts to reduce Shadow IT; in contrast, in companies in Southern Europe there may be slightly higher cultural flexibility. In general, the strict legislation in Europe forces organizations to take steps – for example, if an employee introduces an external cloud service that processes customers' personal data without a data processing agreement, the company risks violating GDPR. This legal awareness probably limits the scope of certain Shadow IT phenomena in Europe, or at least brings them quickly to an official track. At the same time, there is no region "clean" completely from this phenomenon – even in countries with a compliant culture, employees find ways to bypass rules when there is immediate benefit to the work.

  • Israel:

Israel, as the "Startup Nation", presents an interesting combination of characteristics. On the one hand, the country's technological workforce is accustomed to rapid adoption of new technologies and a creative approach to problem solving. Such an environment can encourage Shadow IT, especially in small and medium companies or in innovation teams within large organizations. Indeed, in an unofficial observation, almost no Israeli high-tech employee does not use a variety of dedicated SaaS applications (for code management, design, analytics, etc.) of which some may not have been officially implemented by the IT team. On the other hand, in certain sectors in Israel - such as financial institutions, insurance and health - there is particularly high cyber awareness (influenced by Bank of Israel regulation, the Cyber Authority, etc.), and it is possible that there the employees are more cautious. A unique Israeli example is the widespread use of WhatsApp for organizational communication: in Israel this is a dominant messaging application not only in private life but also in businesses, to the point that WhatsApp groups sometimes serve as a substitute for an internal newsletter, task updates and even meeting coordination. While some organizations have adopted WhatsApp as an official tool (for example, for customer service or community relations), in most cases it is spontaneous use and unsupervised, constituting clear Shadow IT. This is also prominent in the public sector: there were publicized cases in which sensitive government information leaked because it was sent in WhatsApp groups, or important discussions took place there and were not formally documented. This development raises a discussion in Israel today regarding the need for cross-cutting guidelines for the use of private communication means at work.

  • Other Countries and Africa:

The KnowBe4 research cited above showed that Africa presented the lowest rate of employees reporting widespread use of unauthorized tools (only about 20%) [5]. The estimates are that perhaps in Africa, due to relative lag in IT infrastructures and in the adoption of technologies in certain sectors, they managed to "skip" directly to more secure solutions or that simply the scope of digital tools in use is lower. On the other hand, the Oceania region (Australia/New Zealand) is similar to Asia with relatively high rates (about 32% of employees use unauthorized cloud) [5]. In Australia it was reported that employees tend especially to use personal file sharing services, to the point that one survey called Australians "among the worst offenders in the world" in the context of Shadow IT [7]. Of course, such expressions should be taken with limited liability, but they reflect public awareness that the phenomenon crosses geographical borders.

It can be summarized that there are common patterns around the world: wherever there is a combination of business pressure, accessibility to technology, and lack of perfect IT response - Shadow IT will be found. The differences are in the dosage and in the way organizations choose to respond. In the next part we will discuss the implications of the phenomenon - what price the organization may pay for Shadow IT in terms of security, legal responsibility, managerial control and data leakage risks.

The Implications: Information Security, Legal Responsibility, Managerial Control and Data Leaks

The widespread use of Shadow IT poses a variety of **risks and implications** to the organization. Some of these implications materialize in an immediate and clear manner (such as a direct security breach), and others have a cumulative and hidden character (such as long-term damage to control or to costs). Let us examine the main aspects:

  1. Information Security and Cyber Protection Risks:

This is perhaps the most discussed implication. The very existence of unsupervised applications and devices in the organizational network or in employees' use, means potential breaches in the organization's protection. When business information flows through channels that are not monitored, the information security team is not aware of the dangers and cannot protect the digital assets properly [3]. Shadow IT devices do not necessarily meet the company's security standards: it is possible that they have not been hardened, have not received security updates, or that there are no anti-virus software and control on them. Beyond that, sensitive data stored outside the company's repositories actually exits control – files uploaded to a private cloud service or sent to a personal email are no longer subject to the organization's identity management policy, encryption or data leak prevention (DLP) mechanisms. For example, a 2023 security report showed that in 58% of security incidents related to SaaS services in organizations there was some data leak [8]. In other words, over half of the events involving improper use of cloud services ended in data leakage, sometimes classified information or intellectual property. Another finding indicates that ~11% of all cyber incidents in organizations worldwide in recent years were a direct result of Shadow IT - that is, unauthorized use of tools that led to a breach, infection or exposure [2].

Shadow IT infrastructures may constitute a convenient entry point for attackers. A tool that has not been checked and approved by a security team may contain vulnerabilities (for example, a SaaS application without two-step verification, or a private IoT device with a default password) that attackers can exploit. Moreover, non-uniform protection deployment due to Shadow IT creates "dead zones" in the protection network: it is possible that the organization invested in firewall, SIEM and monitoring mechanisms, but if the employee works outside the supervised range (for example, on a personal laptop on a home network) and connects from there to an external cloud tool – all the traditional protection systems are bypassed. Attackers are aware of this phenomenon, and in recent years attacks began exploiting employees' personal cloud accounts as a way to leak information. A well-known incident was when it was published that employees in a global company transferred sensitive files to home computers through private Dropbox accounts, and hackers managed to gain access to these files through a breach of the private account  without penetrating the protected organizational network at all.

  1. Data Leaks and Loss of Information:

Shadow IT increases the danger of data leakage both maliciously and inadvertently. In Insider Threat scenarios (malicious internal factor), external tools provide the employee with a channel to transfer data out under the radar. For example, an employee can easily share confidential documents with himself to a private Gmail and access them after finishing work. And indeed, a Valence Security survey (2023) showed that 30% of files in organizations are shared at some stage with employees' personal accounts [8]. Over a third of employees (35%) even admit that they routinely transfer work emails from their organizational account to their private email box, perhaps to work from home or to keep a backup [8]. Such actions open a significant opening for leakage of intellectual property, customer information and sensitive information - without the organization's ability to prevent it or track what is done with the information afterward. Even when an employee leaves the company, Shadow IT makes it difficult to deny his access to company assets. Standard Off-Boarding procedures ensure the cancellation of accounts in the official systems, but what about all those applications that are not known to the IT department? About half of managers claim that employees who purchased and used cloud applications independently did not have full access fully revoked upon their departure. The meaning is that an employee who left may continue to hold access to company files through his private account (for example, a Google Drive folder shared with him) even long after he finished working - a clear risk for leakage or misuse.

Even without malicious intent, Shadow IT leads to loss of information due to lack of backups and business continuity. Official systems are monitored and backed up; in contrast, when a team implements a solution on its own initiative (say, a database in the cloud not through the IT), it is possible that there is no periodic backup. If the external service crashes, or if an employee who holds the admin permissions for that service leaves suddenly, the organization may find itself without access to vital information. As research notes, the issue of lack of backup in Shadow IT applications is almost not discussed in detail in the literature, but in practice it is a ticking bomb that can cause loss of important data.

  1. Legal Responsibility and Regulatory Compliance:

Shadow IT may place organizations in front of violations of laws and regulations, even without their knowledge. For example, data protection regulations (such as GDPR in Europe, the Privacy Protection Law in Israel, etc.) require control and supervision over personal information databases. If employees store customer information in an unapproved cloud service located outside the country, it is possible that the organization is violating the law regarding the transfer of sensitive information abroad without required protections. Moreover, in the event of a security incident from a Shadow IT channel (for example, leakage of customers' credit card numbers that were saved in a private Excel sheet in the cloud), the organization will bear full responsibility towards the authorities and the victims, even though it had no control over that tool. In such a situation, insurance companies may also refuse to cover damages, claiming that the organization was negligent in enforcing proper security policy.

Another issue is compliance with standards and standards (Compliance). In many organizations, especially in finance and health, compliance with information security standards (such as ISO 27001, PCI-DSS, etc.) is required. The existence of undocumented and unexamined shadow systems may lead to non-compliance with the standard. In the event of an audit or incident, this may lead to fines and damage to reputation. Contractual aspects also enter here: it is possible that the organization has contracts with customers that obligate it to enforce certain security measures. If in practice customer information flowed through an unsecured channel (Shadow IT), the organization is exposed to contractual claims.

Finally, the intellectual property issue: when employees use external tools external, the question arises who owns the content. For example, an employee who shares a company's source code on a private GitHub, or uploads a graphic design to a free editing platform – it is possible that in the terms of use of that platform he actually gave third-party use rights to the content. Such cases, although not common, may legally complicate the ownership of the organization's developments.

  1. Lack of Managerial Control, Duplications and Hidden Costs:

Beyond security and law, Shadow IT damages the organization's technological governance and control. IT departments are required to provide a reliable, efficient and cost-effective infrastructure, but when independent tools sprout in every corner, it is difficult to obtain a complete technological situation picture. For example, an organization may discover retroactively that it pays twice for two similar tools from two different departments, when each has a small number of licenses. A study published by Capterra in 2022 estimated that companies waste an average of over 40 thousand dollars a year on SaaS applications that are in the shadows and are not used or overlap with official tools. These hidden costs also include loss of efficiency: different employees may work on different platforms without the ability to share information easily. In an example described by a technology manager in a multinational company, it turned out that over time three geographical regions in the organization adopted three different file sharing platforms - Europe used one, North America a second, and Asia a third. The result was lack of uniformity, difficulty in updating important organizational documents (an update made in one system was not distributed to the others), and even loss of access to materials when an employee left and there was no orderly process for transferring ownership. Such a situation creates an operational environment that is not efficient and burdens collaboration.

In addition, Shadow IT damages the IT's ability to support and assist: when an employee uses a tool that no one in IT knows, he will not receive technical support anyway if the tool crashes or if he needs integration between it and other systems. This may cause delays in work and frustration when a Shadow IT tool fails. Integration between systems is also a challenge – official systems are usually chosen to integrate with each other (for example, a CRM system that interfaces with the invoicing system). But shadow tools are not necessarily compatible, which may cause manual double data entry, human errors, and information gaps.

In the broader managerial aspect, the spread of Shadow IT may undermine the role of the IT department and lead to "managed chaos". Managers fear, rightly so, that without central control, organizational standards will be harmed. A survey among CIOs found that their biggest concerns from Shadow IT are damage to data security (75% noted this), risk to infrastructure security (73%), damage to system performance (71%) and resource duplications between departments (70%). Moreover, 58% of senior technology managers feared that the Shadow IT trend could make the CIO role obsolete or unnecessary, in the sense that business units will manage the technology themselves and IT will lose its authority. Although this fear is not necessarily realized (on the contrary, in many places CIOs have become strategic partners and formulated new ways to control Shadow IT), it teaches about the managerial implication: Shadow IT requires redefinition of the roles of IT and control in the organization.

  1. Opportunities vs. Risks (Cultural Aspect):

It should be noted that alongside the negative implications, some organizations also identify advantages that grow from the Shadow IT phenomenon. Employees who take the initiative to improve their work signal a real need that in many cases management was not aware of. Thus, Shadow IT may serve as a "hothouse" for innovation: a tool that proves itself as a shadow tool – for example, a team that adopts an innovative BI solution to accelerate data analysis - can later become a candidate for cross-organizational implementation by the IT department. In fact, 77% of IT personnel surveyed said that they see benefit in the organization adopting some of the Shadow IT tools, because they improve efficiency and increase user satisfaction. This approach reflects a cultural change: instead of treating Shadow IT as an enemy, seeing it as an opportunity to learn from the field what solutions employees really need. Of course, this is provided that they can be adopted in a controlled and secure manner.

After we reviewed the implications and risks, the question arises how organizations can and should respond. Is the solution a heavy hand and blanket prohibition, or a more flexible approach? In the next part we will discuss the organizational response options – from enforcement and restrictions policy, through education and training programs, to cultural adaptations such as BYOD policy, monitoring and technological flexibility.

Organizational Ways of Dealing with Shadow IT: Enforcement, Training, BYOD and Monitoring

Dealing with Shadow IT poses a dilemma: **on the one hand**, an organization must protect its assets, comply with procedures and maintain technological order; **on the other hand**, overly rigid prohibitions may harm productivity and innovation, and even push the phenomenon deeper into "the darkness" instead of eradicating it. Therefore, organizations adopt a combination of approaches – some strict and policing in nature, and others flexible and educational. The main ways:

  • Policy and Technological Enforcement (Blocking and Control):

The most direct way is setting a clear policy against unauthorized use of tools, and backing it up with technological means. Many organizations implement restrictions at the network and systems level: blocking access to popular cloud service sites (for example, preventing access to Gmail or Dropbox from the company network), locking the option to install new software on company computers, or not opening certain ports in the firewall. This approach can significantly reduce Shadow IT incidents – for example, if the employee cannot browse to an external storage site from the office computer, it will be difficult for him to use it at work. However, aggressive technological enforcement may harm employees' work: it may block legitimate uses as well (for example, a consultant who comes to the company and wants to present a presentation from Google Drive) and create resentment. Also, employees find ways to bypass – for example, using the personal mobile phone (on the cellular network) to send files when the organizational network is blocked. That is, technical blocking alone does not eliminate the need, and sometimes even transfers the problem to another level that is harder to monitor.

  • Monitoring and Proactive Detection (Identifying Shadow ITin Action):

Instead of (or in addition to) blanket blocks, leading organizations today adopt CASB (Cloud Access Security Broker) technologies and dedicated network monitoring systems, whose purpose is to identify unusual traffic and activity that suspects use of unapproved tools. Such systems monitor for example monitor outgoing traffic to cloud sites, use of unknown Web applications, or installation of unapproved software on endpoints. In the report quoted earlier, 64% of technology managers noted that they plan or are considering deploying special tools for SaaS and Shadow IT management in order to cope with the expansion in the use of applications without supervision [3]. This approach allows discovering what is already happening in practice in the organization - for example, receiving a list of all cloud services that employees use along with traffic volume. Such information is vital in order to focus security efforts and treatment: the organization can decide which external tools are relatively common and in which department, and manage risks accordingly (Risk-based approach). For example, if it is discovered that the entire marketing department uses an external analytics tool extensively, it is possible to consider approving it retroactively in an official manner while implementing controls, instead of trying to block it completely - which most likely will not succeed. Effective proactive monitoring requires both technical methods (checking logs, scanning networks for unauthorized Wi-Fi, etc.) and active involvement of security teams (for example, *user investigation* when unusual activity is identified in order to find out whether it is a Shadow IT tool).

  • BYOD Policy and Information Separation:

The issue of BYOD (Bring Your Own Device) is closely related to Shadow IT. If an organization allows employees to use personal smartphones/laptops for their work, it must set a clear policy on what is allowed on those devices. A common solution is using MDM (Mobile Device Management) or EMM (Enterprise Mobility Management) tools that are installed on a personal device and create separation between the work space and private space. Thus the organization can control to some extent the applications used in the work space on the private device. For example, a company can require that any access to organizational email on the phone be done only through a secure management application, and not through the user's general email application. BYOD policy should be balanced: overly severe restrictions will harm the employee's convenience in using his device, but too much flexibility will cause every personal device to become a back door. Therefore, many of the companies adopting BYOD together with Acceptable Use policy - a list of rules regarding the use of personal devices (for example, obligation to report if a device is lost, prohibition on storing sensitive data locally, and so on). In the bottom line, BYOD is an existing fact in organizations, and coping with it is an important part of reducing Shadow IT risks, because most Shadow IT is done through personal devices or mobile applications.

  • Employee Training and Awareness Raising (Education & Training):

A key and complementary measure to enforcement is educating the users. Many employees turn to Shadow IT tools in good faith, without understanding the implications. Therefore, IT and information security departments invest in explanation: dedicated training that explains what Shadow IT is, why it is dangerous, and what alternatives and procedures exist. Employees need to understand, for example, that if they share a sensitive file in a private Google Drive – no one supervises who else will get access, how the file is secured, and whether there will be an audit certificate for the matter. They must know that if they install software without approval – it is possible that it contains malware or may conflict with other systems. Creating a culture of awareness is critical, because as we saw much of the damage stems from lack of knowledge or flawed risk assessment by employees. Security awareness programs in advanced organizations include today also the Shadow IT topic, but to the surprise, in a survey conducted by an IT management company it was found that about a quarter of organizations do not cover Shadow IT behaviors in their training policy at all [8]. This is a gap that requires correction - inclusion of scenarios and discussions on Shadow IT in training (including bringing concrete examples from the organization itself, if possible, to illustrate the risk). Part of the educational approach includes encouraging employees to cooperate: encouraging an atmosphere in which an employee who encounters a technological need feels comfortable contacting the IT department with a request for a solution (instead of immediately going to search independently). In addition, it is important to clarify that if someone has used an external tool so far and wants to transfer the data from it to an official tool – there will be no "punishment" but assistance. Employees need to feel that the IT team is a partner and not just a policeman, so that they develop transparency and not hide.

  • Flexibility and Alternative Solutions ("Controlled Adoption" and Bridging the Gap):

Another way to cope is providing employees with satisfactory solutions within the official framework, so that they do not feel the need to turn outside. This can manifest, for example, in creating an "organizational application store" – a portal in which the IT department offers a wide variety of approved tools that employees can choose and install according to their needs. If the variety is wide, the likelihood that the employee will say "I have no solution so I will go bring a tool of my own" decreases. Likewise, it is appropriate to implement fast approval processes for new tools: instead of a committee that meets once a quarter, allow an accelerated track in which an employee or team can request to approve use of application X, where the IT performs a rapid risk assessment (say, within a week) and gives an answer - perhaps temporary approval under certain conditions. Such a process shows employees that the organization *listens to their needs*, and curbs the frustration that causes bypassing the rules.

In parallel, many organizations adopt a "controlled adoption" approach to Shadow IT tools, that is, identifying common and useful tools and officially implementing them while imposing security controls. This approach allows enjoying the benefits (such as improving productivity) while reducing the risks. For example, if a marketing team uses an external analytics tool that has proven itself, it is possible to examine it, perform security checks, and turn it into an approved tool available to everyone. Thus, instead of fighting the phenomenon, the organization turns it into a controlled growth engine.

Summary and Conclusions

Shadow IT is not just a point bug that needs to be fixed - it is an ongoing reality in the modern organizational world, born from the heart of the tension between the need for innovation and agility and the requirements for control and technological discipline. In this article we extensively examined the Shadow IT phenomenon from different angles: we defined it as a phenomenon of using technological systems and tools without IT approval, and pointed out the direct connection to the transition to hybrid and cloud work. In the literature review we were impressed that this is a very common phenomenon - most organizations experience it to one degree or another, both in the world and in Israel, despite the rise in awareness. We saw many examples, from daily use of Gmail and WhatsApp to cross-organizational projects "under the radar". We analyzed the motives – from unmet business needs, through pressure to achieve results quickly, to organizational culture that values initiative or, alternatively, does not clarify its rules. We compared trends in different countries, and found that in Asia the tendency to Shadow IT is the highest, while Europe and North America are slightly more restrained (though definitely not immune). We discussed in depth the implications: security and privacy risks, legal and regulatory exposures, loss of managerial control, duplications and hidden costs, and even possible damage to the roles of IT themselves - but also opportunities for organizational innovation.

In the practical part of the discussion, we reviewed possible organizational responses: we learned that there is no single magic solution, but a combination of technical enforcement (blocks, monitoring) with education and cultural efforts is required, while providing flexible response to employees' needs (managed BYOD, controlled permissions for new tools). We described the key roles - the CIO as a balancer between technology and business, the CISO as the gatekeeper for security, the management that sets the tone and the board that ensures governance. Finally, we formulated a detailed managerial strategy that includes thorough mapping and discovery, setting clear policy and approval process, strengthening official IT tools, ongoing monitoring, employee training, graduated enforcement and continuous improvement. This strategy is designed to significantly reduce the risks while maintaining an efficient and innovative work environment.

The central conclusion emerging from all that has been said is that the goal is not to "eliminate" Shadow IT completely - a task that is probably not entirely possible - but to manage it wisely. An organization that recognizes the phenomenon, measures it and learns from it, will be able to turn it into an opportunity for improvement. Instead of seeing every employee who uses an external tool as a criminal, it is better to see it as important feedback: perhaps this is a sign that something is missing or not working properly in the existing infrastructure. This inclusive approach, alongside taking firm steps where necessary (when the risk is high), will position the organization as "attentive and secure" together.

In the end of the day, managers need to adopt a number of practical recommendations:

  • Regular measurement and control:

Implement tools and processes for continuous monitoring of unauthorized IT uses, and present periodic reports to management to keep the issue on the agenda [zluri.com](https://www.zluri.com/blog/shadow-it-statistics-key-facts-to-learn-in-2024#:~:text=%2A%20Approximately%2085,lack%20of%20comprehensive%20security%20measures).

  • Upgrading the user experience in IT tools:

Identify and fix weaknesses in the internal technological offering so that fewer employees feel the need to "escape" to external solutions [2].

  • Outlining a culture of shared responsibility:

Communicate clearly that every employee is a partner in information security and that he is expected to report and consult when there is a need for a new tool, instead of acting alone.

  • Implementation of Zero Trust principles:

Assume that every system, internal or external, may be breached if it is not managed – and build the protections accordingly, including strong identity verification for any access to sensitive information, even if it occurs from a non-standard device or application [4].

  • Ongoing senior management involvement:

The Shadow IT issue needs strong sponsorship from above. When employees know that management takes it seriously - they will take it seriously. A board of directors that demands reporting on the issue signals that it is an integral part of overall risk management.

In accordance with these recommendations, managers can turn the challenge into a path to strengthening the organization: to narrow the trust gap between front-line employees and the IT department, to better protect the digital assets, and at the same time to encourage innovation in a controlled framework. Shadow IT is here to stay, but with a proactive and wise approach - it is possible to illuminate the "shadows" and integrate them into the managerial spotlight for the benefit of the entire organization.

References

  1. Sheffield University (Pressbooks, 2022) - "Workarounds and Shadow IT". Chapter from an academic book reviewing the concept of Shadow IT and its differences from "bypass solutions" (workarounds). Includes the definition of the term (Rentrop & Zimmermann 2012) and notes that ~80% of employees use some Shadow IT application; https://sheffield.pressbooks.pub/workarounds/chapter/workarounds-in-it-system-and-software-development
  2. https://www.zluri.com/blog/shadow-it-statistics-key-facts-to-learn-in-2024 
  3. IT News (Meir Eshet, 2022) - "New research by Torii reveals: 69% of technology managers admit that the Shadow IT phenomenon is at the top of their information security concerns". Report on a Pulse survey among 100 technology managers at the end of 2021: 69% of them placed Shadow IT as a primary security concern, 52% noted that employees purchase SaaS applications independently; https://itnews.co.il/headlines/cyber/?p=37884 
  4. https://www.techtarget.com/searchcio/tip/14-tips-for-CIOs-managing-shadow-IT-activities
  5. https://www.knowbe4.com/hubfs/Quarterly_Report_Q1_2022%20(2).pdf
  6. https://www.geektime.co.il/us-house-of-representatives-bans-whatsapp-on-staffers-phones
  7. https://ia.acs.org.au/article/2022/the-shadow-it-problem.html
  8. Auvik - "50 Shadow IT Statistics for 2024" (2023) - Article summarizing data from various sources: for example 39% of young users are unaware of security policy and 31% of them tried to bypass security procedures; https://www.auvik.com/franklyit/blog/shadow-it-stats.