How to mitigate shadow IT risks: 3 strategies to consider

By: Kayla Broussard and Chad Petersen

Successfully managing the true scope of the IT estate today involves grappling with shadow IT—the use of unapproved technology by employees—and the murky subsection within corporate IT this creates, also known as “the dark IT estate.”

Shadow IT is not a new threat. However, with the increasing accessibility to and use of AI and generative AI tools, the nature of this threat has evolved, adding a new layer of complexity to the already dizzying state of IT risk.

In a 2024 Kyndryl IT readiness research survey of 3,200 business executives, 61% of respondents stated that their companies’ IT infrastructure is unprepared to manage future risks. And respondents to a joint Kyndryl and AWS report titled “Cyber Gauge 2024: Navigating the complex cybersecurity landscape,” indicated that 54% of large organizations had experienced cyberattacks over the last 12 months.

These results suggest that many enterprises could benefit by adopting preemptive measures against emerging IT risks now. Read on to learn about the effects of shadow IT sprawl—and proactive steps that your team can take to understand how to mitigate the risks.

What are the consequences of shadow IT?

Here are a few examples of how the dark IT estate may already negatively impact your organization's cyber resilience:

• Data Breaches: Unauthorized or unsecured IT systems can expose sensitive data to hackers, malware or insider threats. Data breaches can result in financial losses, reputational damage, legal liabilities and regulatory penalties.
• Network issues: Unmanaged IT systems can consume bandwidth, create bottlenecks or interfere with other network activity. Network issues can affect the availability, reliability and quality of service of the organization’s IT infrastructure.
• Cost inefficiencies: Shadow IT can lead to duplication, waste, underutilization or overutilization of IT resources. Cost inefficiencies can reduce the return on investment and the value of the organization’s IT assets.
• Compliance violations: Shadow IT can violate the organization’s internal or external compliance requirements, such as data protection, privacy, security or industry standards. Compliance violations can result in fines, sanctions, audits or legal actions.
• Governance challenges: Shadow IT can undermine the organization’s IT governance framework, such as policies, procedures, roles and responsibilities. Governance challenges can create confusion, conflict or misalignment among IT stakeholders.

Action plan to combat shadow IT

First, it may be helpful to consider why employees are turning to tech outside of the company stack. For example, some employees may find the organization’s approved tools and IT solutions too slow. Others may be frustrated with the complexity or difficulty of certain tools and feel they haven’t received sufficient training to use these tools properly.

Evaluating the potential root causes of shadow IT use at your company can help your team focus efforts to prevent or mitigate the associated risks. This in turn will increase the overall visibility and control of your organization’s IT estate.

Three key strategies for exploring and addressing the reasons for shadow IT use are:

1. Measure, monitor and track  

What to do:

• Conduct regular audits and assessments of the IT systems, applications, devices and services used within the organization.
• Employ machine learning tools to generate real-time insights and increase visibility across the IT estate.
• Implement a centralized IT management platform to monitor, track and report on the IT assets, activities and performance.

What not to do:

• Accumulate too many tools and applications. This can lead to overlapping functions, use cases or purposes—all of which require maintenance.
• Establish overly intrusive monitoring that may invade employee privacy or engender a culture of mistrust.
• Ignore user needs: a significant portion of shadow IT results from inadequate IT solutions.

Why it’s worth it:

• Continuous tracking can help organizations identify potential risks early, thereby allowing proactive measures to mitigate shadow IT sprawl. Plus, anything that strengthens informed decision-making is always a good thing.

How to tell it’s working:

• Increased accountability and motivation. You should see stronger stakeholder engagement at many levels. Perhaps most importantly, this might lead to your team receiving validation of strategy.

2. Establish and enforce standards and controls

What to do:

• Establish clear and consistent IT policies and standards that define the authorized and unauthorized IT systems, applications, devices and services.
• Enforce strict IT security measures and controls that can detect, prevent or respond to any unauthorized or suspicious IT incidents.

What not to do:

• Update policies without communicating change.
• Have a short-term focus. Shadow IT management requires continuous improvement and long-term strategies.

Why it’s worth it:

• Standards and controls help to ensure uniformity in processes and services which can lead to predictable outcomes, resource optimization and performance improvement. Standards and controls also will make it harder for shadow IT to enter your IT environment.

How to tell it’s working:

•  A boost in confidence and trust. Solid standards and controls enable continuous improvement, which can ultimately give your organization a competitive edge.

3. Boost employee experience and education

What to do:

• Educate and train the employees on the risks and consequences of shadow IT and the benefits and best practices of using the approved IT systems, applications, devices and services.
• Engage and collaborate with employees to understand their IT needs, preferences and feedback and provide suitable and satisfying IT solutions.

What not to do:

• Skip training and support.  
• Overlook the importance of excellent support for approved tools.
• Assume that measuring and tracking alone mitigate risks.   

Why it’s worth it:

• Enhanced employee experiences can often lead to better teamwork and communication which fosters a collaborative work environment. 

How to tell it’s working:

• A general sense of preparedness and resilience both in the day-to-day and during a cyber security event. A well-educated, knowledgeable and trained organization is better equipped to deal with not just the many challenges of IT in general, but also with shadow IT in particular.

The long view

The objective of combatting your shadow IT risks should be to reduce risk by boosting visibility and control over your IT estate, while optimizing and improving the in-house employee IT experience. By taking a more proactive stance towards IT assets and use, organizations can take real steps towards protecting their resources and, critically, maintaining trust with both internal and external stakeholders.

Kayla Broussard is a Distinguished Engineer and the CTO of the Consumer and Travel market at Kyndryl.

Chad Petersen is a Director, Enterprise Architecture at Kyndryl.