← Back to all posts

The Shadow IT Problem Nobody Talks About

March 3, 2026

The Shadow IT Problem Nobody Talks About

The Shadow IT Problem Nobody Talks About

Six months ago, I discovered that a client's marketing team was using a file-sharing service I'd never heard of. They'd been using it for two years. It contained:

  • Customer contact lists
  • Campaign performance data
  • Budget spreadsheets
  • Strategic plans for the next quarter

Nobody in IT knew about it. It had never been through procurement. There was no security review. No data processing agreement. No backup plan.

When I asked the marketing manager about it, she said: "Oh, we needed to share large files and Dropbox was too slow. Someone recommended this. It's free and works great."

This is shadow IT—the technology solutions employees adopt without IT's knowledge or approval. And shadow it security risks are one of the biggest unaddressed threats facing Australian businesses today.

shadow it security risks: The Scope of Shadow IT is Staggering

Research suggests that the average enterprise uses 1,000+ cloud services, but IT departments typically know about fewer than 100 of them.

Let that sink in. 90% of cloud services are unknown to IT.

In smaller businesses, the problem is often worse because there's no formal procurement process. Someone needs a tool, they find one online, they sign up with their work email, and they're off.

Common shadow IT culprits include:

  • File sharing (personal Dropbox, WeTransfer, random file transfer services)
  • Project management (Trello, Asana, Monday.com—often the free tier)
  • Communication (WhatsApp groups for work, Slack workspaces IT doesn't know about)
  • AI tools (ChatGPT, Claude, Copilot with personal accounts)
  • Analytics and reporting tools
  • Marketing automation platforms
  • CRMs (yes, entire CRMs running in parallel to the official one)

Each of these represents:

  • Data outside your control
  • Unknown security practices
  • Potential compliance violations
  • No backup or business continuity plan
  • Difficulty extracting data if the service shuts down

Why Employees Turn to Shadow IT

Before we talk about solutions, we need to understand the problem. Employees don't use shadow IT because they're trying to be difficult. They use it because:

The Official Tools Don't Work

Your corporate file share has a 50MB limit. They need to send a 200MB video file. What do they do?

The procurement process takes 6 weeks. They need something now. What do they do?

The approved project management tool requires a VPN. They're working from a client's office. What do they do?

In each case, the employee is solving a real problem with the tools available to them. The fact that the solution creates new risks isn't obvious to them.

They Don't Know Any Better

Most employees aren't security experts. They don't understand:

  • Why data residency matters
  • What a data processing agreement is
  • Why "free" services might be problematic
  • How data breaches happen

They see a tool that solves their problem. They use it. The end.

They're Trying to Be Productive

Here's the uncomfortable truth: shadow IT often makes people more productive. The unsanctioned tool is faster, easier, or more capable than the approved alternative.

When you shut down shadow IT without providing a better alternative, you're not just removing a risk. You're reducing productivity. And employees will resent you for it.

The Shadow IT Security Risks Nobody Talks About

Let's get specific about what can go wrong. Shadow it security risks aren't theoretical—they're happening right now in businesses like yours.

Data Breach Through Third Parties

That file-sharing service your marketing team uses? It just got breached. Now your customer list is on the dark web.

You didn't even know you were using the service, so you couldn't assess its security. You didn't have a contract, so you have no recourse. You have no idea what data was exposed because you didn't know it was there.

Compliance Violations

If you're subject to:

  • Australian Privacy Principles
  • Notifiable Data Breach scheme
  • Industry-specific regulations (finance, healthcare)

Then storing data in unsanctioned services is potentially a compliance violation. And "we didn't know" isn't a valid defence.

Data Lock-In and Loss

The founder of that handy analytics tool your sales team uses decides to shut down the service. With 30 days notice. And no data export feature.

Two years of sales data. Gone. Or trapped in a format you can't use.

This happens more often than you'd think. Free tiers get discontinued. Startups fail. Founders pivot. And your data goes with them.

AI Training Data Leakage

Your team is using ChatGPT to summarise meeting notes, draft emails, and analyse documents. They're copying confidential information into the chat window.

That data is being used to train OpenAI's models. It might appear in responses to other users. There's no way to get it back.

This is shadow AI, and it's the fastest-growing shadow IT category I've seen.

How to Discover Your Shadow IT

You can't manage what you don't know about. Here's how to shine a light on your shadow IT:

Method 1: Network Monitoring

Use tools that monitor network traffic for signs of cloud service usage:

  • CASB (Cloud Access Security Broker) solutions
  • DNS logging (look up DNS queries to known SaaS domains)
  • Proxy logs
  • Firewall logs

This will give you a list of services being accessed from your network. It's not perfect (won't catch mobile usage or home office work), but it's a start.

Method 2: Expense Report Analysis

Look for charges to:

  • Software companies
  • Cloud services
  • "Digital goods" merchants
  • App stores

Someone expensing a "productivity tool" is a red flag for shadow IT.

Method 3: Email Domain Monitoring

Set up Google Alerts or similar for your company domain name. Many SaaS services send welcome emails or notifications that will show up in public email archives or breach databases.

Services like Have I Been Pwned can also alert you when your domain appears in breach data.

Method 4: Just Ask

Seriously. Send an all-staff email: "We're reviewing our software tools. Please reply with a list of any online services you use for work, even if you signed up yourself."

You'll be amazed what people tell you. Most don't realise they're doing anything wrong.

Method 5: Browser Extension Analysis

If you manage devices, you can audit browser extensions. Many shadow IT tools have browser extensions for convenience.

Managing Shadow IT: The Practical Approach

Discovering shadow IT is the easy part. Managing it is where it gets tricky.

Here's my framework for dealing with shadow IT without destroying productivity or goodwill:

Step 1: Don't Panic (or Punish)

When you discover shadow IT, your first instinct might be to shut it down immediately and reprimand the users. Don't.

Remember: they're trying to do their jobs. Punishing them creates an adversarial relationship and drives future shadow IT further underground.

Instead, approach it with curiosity. Why did they need this tool? What problem was it solving? How can we solve that problem within policy?

Step 2: Assess the Risk

Not all shadow IT is equally risky. Create a simple risk assessment:

High Risk:

  • Contains customer personal information
  • Subject to regulatory requirements
  • No security controls or data processing agreement
  • Based in high-risk jurisdictions

Medium Risk:

  • Contains internal business data
  • Some security controls
  • Unclear data handling practices

Low Risk:

  • Public information only
  • Well-established vendor with good security
  • Minimal business impact if lost

Focus on high-risk items first.

Step 3: The "Adopt, Tolerate, or Retire" Decision

For each shadow IT service, make one of three decisions:

Adopt: Make it official. Go through proper procurement. Negotiate enterprise terms. Implement proper security controls. This is the right choice for tools that provide real value and can be secured.

Tolerate: Allow it temporarily with conditions. Maybe it's low-risk, or there's no good alternative yet. Set a review date and monitoring requirements.

Retire: Shut it down. Migrate data to an approved alternative. Do this carefully—if you just turn it off, people will find another shadow alternative.

Step 4: Provide Better Alternatives

If you're retiring a shadow IT tool, you must provide a better (or at least equivalent) alternative.

The conversation should be: "We need to move off Tool X because of security concerns. We're going to migrate you to Tool Y, which does the same thing but with proper security controls. Here's training and support to help you transition."

Not: "Stop using that immediately. Figure something else out."

Securing your workplace? You're probably your family's IT person too.

The same principles that protect enterprise data—knowing what apps you use, where data lives, and who has access—work just as well at home. But most families have none of it.

Get my Personal Security Quick-Start Guide — the 193-page practical handbook for busy people who want to protect their families without becoming cybersecurity experts.

Plus: Join 158+ Australians getting one 5-minute security briefing every Friday.

Get The Free Guide →

Building a Shadow IT-Resistant Culture

The best way to manage shadow IT is to make it unnecessary. Here's how:

Make Approved Tools Easy to Access

If getting an approved tool requires:

  • Filling out a 5-page form
  • Getting three signatures
  • Waiting two weeks for procurement
  • Installing special software
  • Going through training

...people will find alternatives.

Streamline your approval process. Create a self-service portal for common tools. Pre-approve categories of low-risk tools.

Make Asking for Tools Normal

Create a culture where asking IT for tools is easy and encouraged.

  • "Tool request" channel in your team chat
  • Regular "what tools do you need?" check-ins
  • Fast response times to tool requests
  • Transparent criteria for approval

If people know they can get what they need through proper channels, they're less likely to go around you.

Educate About Risks (Without Being Alarmist)

Help employees understand why shadow IT matters:

  • "That free tool might sell your data"
  • "If the company shuts down, we lose everything"
  • "We can't recover data if there's a breach"

But don't be the security team that cries wolf. If you block everything "just in case," people stop listening.

Monitor Continuously

Shadow IT isn't a one-time problem. New tools launch every day. Employees find new solutions constantly.

Set up ongoing monitoring:

  • Quarterly surveys
  • Continuous network monitoring
  • Regular expense report reviews
  • Stay alert for new categories (AI tools are the current wave)

Your Family's Shadow IT Problem

Here's a thought that keeps me up at night: your family has shadow IT too.

Your kids are signing up for apps you don't know about. Your spouse is using personal accounts for family stuff. Everyone's using AI tools and copying personal information into them.

The same shadow it security risks that threaten your business threaten your family:

  • Personal data in services with poor security
  • Photos and documents on platforms that might disappear
  • Location data tracked by apps
  • AI training on private family information

If you're securing the enterprise, spare a thought for securing the home. Because your family's data matters just as much as your company's.

Want to learn more about protecting personal data? Check out our guide to password policy best practices — because it all starts with the basics.

Mathew Clark
Founder, SecureInSeconds
Currently: Auditing my own family's app usage and finding way too many services I've never heard of

Further Reading: