You May Have Sabotaged Your Business And Don’t Even Know It

July 22, 2025

I can do this better.

Ok so we've all been there.  You're in a hurry and you need to get work done now. Your company has given you a set of applications software and collaboration tools. But, they are cumbersome and hard to use, or you just don't like them. Maybe in your previous workplace they used a different tool that was so much better. So since you're on a deadline you download that other tool install it on your machine and off you go. Maybe it's a cloud based product that is available at no charge so what harm could it bring?  After all you got your work done, you've made your deadline, all is right in the world.

My son in college just showed me this new thing called...

Everyone loves shiny new gadgets.  Personal productivity tools especially are, well, a very personal thing. What one person likes another doesn't.  It is very tempting to download and try a number of apps in our daily lives. Those applications can have data inside of them that is confidential not only to you in your personal life but also to your employer, and if you are a business owner - to the whole of the business itself.  By doing something as seemingly innocent as managing your to do list you could inadvertently be leaking confidential data into an unknown cloud that may or may not be doing the necessary diligence to protect that data.  Even worse, if a 'free' solution, your data may even be sold off to a third-party or used for research.

Hey, IT Vendor - Your Job is to Protect My Business Data

Business owners almost unilaterally would agree that when they bring in a partner to help with the care and feeding of their technology, what goes with that is an implicit trust that their data is being managed and protected in a standardized and compliant way. While some IT vendor contracts may specifically limit or attempt to define clearly their role in data management protection, the bottom line is that business owners will have this expectation.

So this brings up a critical question:
If the employees in your business or you, as the business owner yourself are utilizing applications, tools, or cloud services that your IT vendor is not aware of what is your expectation of that IT vendor? Would you expect them to have technologies in place to detect when you or your employees are using cloud solutions that are not monitored, vetted, and controlled?

Have you ever heard of Shadow IT ?

Shadow IT is exactly this. It is defined by our new friend ChatGPT as:

Shadow IT refers to technology, software, or systems used within an organization without explicit approval or knowledge of the IT department

I suppose some will read this thinking, "well who is the IT vendor anyway?"  "what does it matter? I own the business. I'm in charge. The vendor is not in charge. I'm going to do what I want."

The issue is that you're paying money to the IT vendor to secure your environment and by utilizing shadow IT components (or allowing your employees to utilize shadow IT components) you are blasting a hole right through the heart of your cybersecurity posture.

Is this really a big deal?

To be clear, the risks of shadow IT actually can be pretty dire. These can include data breaches due to unmonitored storage or insecure transmission of data, a violation of compliance (e.g. HIPAA, etc.), lack of any access or data, loss prevention controls, and more. It may also cause you to be in violation of your own IT policies or the policies of a vendor or partner.  You could also be in breach of your contract with your own clients!

A great example of this can be when a key employee leaves your organization and you may have policies in place that lock them out from their corporate data so they cannot take it to a competitor. If shadow IT tools are allowed to be used that employee may already have copies of all that data in a location that you know nothing about.

Not the least of which is the issue that your IT team will have no idea that this platform even exists. So when things go wrong data goes lost or it needs support and attention that critically expensive IT function will largely be powerless to assist.  In addition, your contract with your IT vendor may specifically require that they manage the whole of your environment, so keeping them in the dark can remove any guarantees or protections and may even place you in breach.

Insurance

Remember that questionnaire your insurance company sent last year, where you told them you had all these great protections in place, like encryption, multi-factor, etc ? Well, if you have an event/incident that involves data housed in a Shadow-IT instance it likely is not up to those protection standards. (Since your IT team didn't know about it - how can they secure it?) This can result in denied claims or other coverage impacts.

So what to do?

Controlling human behavior is always difficult. But as business owners we do our best to keep our data in our companies protected.  That said there are a few items we could focus on as a way to minimize the use and impact of shadow IT:

Education

As part of your cyber security awareness training or other regular employee training, educate your staff on safe practices and how to bring suggestions and ideas to the IT team such that alternate tools and applications can be vetted for potential use. Often times insufficient feedback on issues using products makes its way back to the decision-maker. In a lot of cases, it comes down to education on how to use the product or how to modify workflows to make the products really shine. All of that takes work and sometimes it's easier to change the product then to change the workflow.

Of course, the team should also be educated on the risks of using non-sanctioned products and tools.

Policies

Clear policies about the use of unapproved applications should be established. Ideally, this should be part of your acceptable used policy and should have an attached sanction policy, such that all employees understand the impact of policy violations.

Prevention and Monitoring

Attempting to block all tools and applications that are not approved by the business is a very difficult task, simply because there are so many! That said there are some products in the market that do make a 'dent' so to speak, however there is a price tag to implementing these products.

Beyond blocking an additional approach is to monitor usage. This can be done a number of ways ideally with a productivity monitoring tool that runs on each workstation. This tool would deliver statistical data showing what applications and services are being used on everyone's computer. It includes data about frequency and duration of use and, in some cases, even what data has gone through those applications. However, these monitoring products are, in some circles, deemed inappropriate or unethical - but that is something for you to decide.

Ensure you have the tools you need

If there is a need in your organization for a particular tool or software product, make sure you have one that works and is properly implemented and supported. If you're using an antiquated product for something that's causing all sorts of strife - replace it!  There is no bigger reason for someone to use unsanctioned solutions then the current solution being substandard or just totally nonfunctional.  Necessity is the mother of invention.

Where to go from here

Talk to your staff and talk to your IT team. Understand where the challenges are in your current application set and identify where some shadow IT may already exist. From there implement some of the tips above. If you'd like to discuss your particular situation, of course your IT partner should be able to help you down this path of protecting your company. If not, you can always chat with me by clicking the link below.

We are here for you

Have a technology issue or question? Wondering if your current IT is really working for you?
Setup a free, no obligation 15 minute chat with Darren by clicking below.