Research for this article triggered childhood memories of the epic cult series the Twilight Zone and the dark ominous and almost demonic voice speaking to a young boy saying, "I am the Shadow Man.and I will never harm the one under whose bed I live".

Like the Shadow Man, shadow IT represents a menace that should strike fear into company leaders. Like the boy, too many organisations have a false sense of security when it comes to shadow IT, thinking that the organisation could never be harmed by it, and worse, too many organisation leaders are not even cognisant of the shadow IT malice that lurks in organisations.

However, with training and awareness in place, you can easily deal with the multiple threats and risks posed by shadow IT to your organisation, and avoid the nastiness that comes with Shadow IT adoption. Some policies may include an acceptable use policy, work from home policy, bring your own device policy and also a legal risk acceptance policy.

At its most basic, shadow IT refers to the use of information technology systems, devices, software, applications, and services without explicit IT department or company leadership approval. Some common examples of shadow IT applications may include DropBox or Mailchimp, and there are a myriad of third-party software-as-a-service (SaaS) applications used by staff across companies for various purposes. With the lockdown in place and work-from-home being the norm, the rise of shadow IT has become all the more prevalent as staff working from home face new challenges, such as signing documents digitally or transmitting large amounts of files.

Another challenge of working from home is that staff are able to work on devices that are not subjected to real-time monitoring by IT departments. This problem is exacerbated by the downloading and use of "free" applications, with staff members not taking the time to read the terms of use, that often provide, that while such application is free to use, this is limited to personal home use only and does not extend to commercial use.

While proponents of shadow IT cite certain benefits attached to the adoption of shadow IT by organisations, this is a false sense of security given just how risky shadow IT can be. Some of the consequences and implications of shadow IT in organisations include:

  • IT governance: ideally, boards are required to ensure that the organisation adopts sound information governance and sound technology governance when running the organisation. Shadow IT directly undermines and contradicts such efforts, placing directors at risk.
  • contractual risk: staff often click on the "I Accept" button all too readily without any legal review, consideration or vetting. This results in the organisation and, in some instances, the staff member being bound to contracts which neither would otherwise have signed.
  • audit risk: IT companies often conduct audits for use of their products and services by companies. When staff download free applications, the consequence to the organisation is that use of such applications for commercial or business purposes means that a retrospective licence fee will likely be payable if the organisation is audited (sometimes coupled with interest, penalties and the threat of litigation and reputational exposure. Given how technology has progressed, an organisation need not be an existing customer of the IT company to be subject to such an audit. We have seen a number of clients being financially penalised due to such "free" use, with payments sometimes running into millions of rands.
  • data security: shadow IT is a cybersecurity nightmare, as applications have not been vetted for security and may contain malware, viruses, etc. They can also create vulnerabilities in the systems which could give rise to data breaches.
  • data privacy compliance: data security and privacy compliance are closely related. Shadow IT means that personal information for which the company is the responsible party of is processed on unapproved systems and processing may be taking place contrary to legal requirements such as those imposed by the Protection of Personal Information Act, 2013 ("POPIA").
  • integration and collaboration: the lack of integration with shadow IT applications and company systems often leads to inefficiencies which in turn result in cost escalation. It also creates an environment where staff do not work in a collaborative manner.
  • loss of productivity and increased costs: the use of non-supported applications requires that the user solve any technical issues that arise by themselves, which in turn affects both productivity and in some instances (e.g. where employees are paid by the hour or entitled to overtime pay) will result in added costs.

It would not hurt company leaders to have a quick peek so as to reassure themselves that the menace posed by shadow IT to an organisation is managed and mitigated.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.