Why Shadow IT Prevails for UK SMEs
Fuelled by hybrid working models, easy access to cloud services, and the evolution of AI, shadow IT continues to be a pressing issue for UK organisations. Today, business users demand access anywhere at any time using multiple devices, while they expect their confidentiality, integrity and availability to be preserved as if they were in the office.
For those less familiar, shadow IT is the unsanctioned use of an unapproved tool to access, store or share corporate data, or when an employee accesses an approved tool in an unauthorised way. To compound the issue, the recent explosive popularity of generative AI applications like ChatGPT has led to an additional rise in 'shadow AI', which is the unsanctioned use of artificial intelligence.
Employees adopt shadow IT for their convenience and productivity. Often, they feel they can work more efficiently or effectively using their personal devices and preferred software, instead of the company's sanctioned IT resources. However, with resource-stretched IT departments, skills shortages, and increased costs, it's not always easy for IT teams to quickly onboard new solutions, leading to increased shadow IT usage.
Nonetheless, blocking access to applications and tools isn't the answer, as this only encourages employees to adopt more shadow IT and unauthorised, insecure solutions.
The impact of shadow IT on data security
Our recent small to medium-sized enterprise (SME) IT Trends report revealed that SMEs are very concerned about the impact of shadow IT on data security. Shadow IT enlarges attack surfaces, with IT admins understandably hungry to gain greater control and visibility over their IT environment. Eighty-five per cent of UK respondents surveyed said they are concerned about applications or resources managed outside of IT, with a third "very concerned".
Furthermore, over a third of respondents say that they have more important priorities than addressing shadow IT, with 28% admitting that business users move too fast. Unfortunately, almost one-third (31%) of IT admins surveyed said they don't have the ability, the skills, or the resources to discover all unauthorised applications.
Employees just want to get the job done
Shadow IT continues to be a problem because employees feel the pressure to move faster than IT departments can cope with. But shadow IT is less nefarious than once thought. It's not about being defiant or obstructive. Most of the time, employees just want to get work done quickly.
In today's highly competitive landscape, employees and business leaders need technology that will enable them to meet KPIs, achieve sales goals, and address customer demands. As a result, they lean on unapproved software solutions that they prefer to use to do their everyday tasks.
But the stark reality is that shadow IT costs businesses a lot of money. From out-of-control IT spending and duplicate licences to security breaches and data security vulnerabilities, ignoring IT protocol can lead to excessive waste and increased risk.
Our survey found that UK SMEs are being targeted by bad actors, with 44% saying they've been a victim of a cybersecurity attack. Nearly two-thirds (60%) of UK SMEs claim they have had multiple attacks in 2024. Phishing was cited as the main cause of these attacks, closely followed by shadow IT. Nearly half claimed they lacked the resources to protect against such attacks.
There are very few benefits to shadow IT. Despite growing concerns and the need to tighten up the adoption of unauthorised technology, shadow IT is still prevalent, with drawbacks clear:
- Data is being stored in locations that the business does not know about.
- Applications are being used that haven't been vetted for security, privacy, and compliance.
- Data can be lost or stolen more easily.
- The risks of downloading malicious applications are high.
- Because there is no professional IT support, the risks of mistakes and errors that lead to data loss are significantly higher.
Growing complexity compounds shadow IT
Without a doubt, the IT landscape is becoming more complex. UK respondents in our survey said that the number of tools used to manage the employee lifecycle was continuing to increase. Our research indicated that 46% of UK SMEs are managing anywhere between five to 10 tools, a 14% increase from our last report.
Furthermore, 17% are managing between 11 and 15 tools. This means that resource-stretched IT teams are struggling to manage authorised tools, let alone unauthorised tools. This is where the vast majority (81%) felt that a single centralised solution for identity, access, and security versus many-point solutions would be extremely beneficial.
Looking ahead, Gartner predicts that by 2027, 75% of employees will use technology outside of IT oversight. Therefore, what practical steps can IT departments adopt to combat shadow IT?
Combating shadow IT
They first need to understand where shadow IT already exists in their organisation. This will not only help to guard against it, but it can indicate where the organisation could improve its processes, technology, or employee experience. Employee surveys are a great place to start identifying shadow IT and improving technology to maintain organisational alignment with best practices.
It might sound obvious, but it is important to provide easy access to the resources employees need, regardless of whether they're office-based, hybrid, or fully remote. Other aspects to consider include:
- Utilise operating systems that employees are comfortable with.
- Mobile device management (MDM) tools that facilitate bring your own device (BYOD) or are platform-agnostic allow employees to work with the platforms they're comfortable with.
- Prioritise UX with user-friendly tools. For those less user-friendly tools, implement sufficient employee training.
- Facilitate agility by providing compatible integrations. Get tools to work together rather than forcing employees to work in technology silos.
- Streamline user account management, avoid password fatigue, and deliver a better employee experience with single sign-on (SSO). This requires employees to remember just one username and password combination.
Shadow IT is not going to disappear any time soon, so organisations should establish a strategy to manage and control it by supporting employees with authorised tools and processes that streamline and secure technology access.