#Digital

Shadow IT: what to do when departments choose their own tools?

Driven by the democratization of remote working, the adoption of SaaS software offers employees a range of online services that were previously inaccessible.

Commonly referred to as shadow IT, this use of software not approved by the company is perceived by employees as a source of agility and speed. However, this practice is not without risks.

Between unintentional data leaks and compromised user accounts, this trend raises questions.

How can new digital practices be regulated without hindering team productivity? Why do employees sometimes choose their own tools, outside the framework defined by the IT department?

To find out, Rcarré experts provide answers and insights in this article.

What is Shadow IT ?

Shadow IT can be defined as the use of equipment and software within a company without the prior and explicit approval of the IT department.

Shadow IT implies a loss of visibility. Data transfers are carried out in environments outside the company, beyond any control.

While the term may sound alarming, it refers to everyday uses that are more than basic. The most common forms of shadow IT involve the use of online file storage and sharing solutions, instant messaging applications (such as WhatsApp or Messenger) and, in some cases, the use of personal storage accounts on consumer cloud services (Apple’s iCloud or Google Drive).

This concept also applies to the growing use of artificial intelligence tools and agents (AI agents) and interaction with Large Language Model (LLM) platforms, such as ChatGPT or Gemini. When these uses are not supervised by the company using a private LLM installed locally, they constitute a new variant of the concept, known as “Shadow AI.”

Need to secure and optimize your software?

Talk to an expert !

How does shadow IT pose a threat to your company’s IT security ?

Unapproved IT tools expose the company to real risks: data leaks, breaches of confidentiality clauses, and regulatory non-compliance, at least with regard to the GDPR.

When your employees use free online solutions, they are often unaware that their data may be stored abroad (sovereignty issue), sold to third parties, or used to train artificial intelligence models (lack of confidentiality and risk of data leaks). This loss of control over your information flows weakens your cybersecurity posture and may ultimately affect the trust of your customers and partners if they are impacted.

There are many everyday examples of shadow IT.

An employee who is unable to send an email because the attachment size limit has been reached may choose to use an online sharing service to quickly get around the problem.

Editing a PDF is another common example: an employee who is put off by the idea of manually copying a large number of documents may prefer to use an online platform, which retrieves your files and returns them in the form of an editable document.

The same applies to sales teams that use free electronic signature tools to send contracts and sales proposals.

Finally, communications and marketing departments, which face constantly rising software license prices, are also tempted to use free tools to send company data.

This trend is all the more dangerous when an employee leaves the company and the data remains on the vacant user account for years.

What factors encourage the use of shadow IT ?

Several factors explain the rise of shadow IT in companies.

The first factor is related to a form of performance pressure, which pushes employees to seek efficiency and productivity gains outside the framework defined by the IT department. Employees are under pressure to deliver on time, and if the IT tools provided by their employer are unable to produce the expected results within a reasonable timeframe, they will look for an alternative solution in online software. This frustration is commonly observed when employees are faced with internal tools that are considered obsolete, too slow, or ill-suited to their business needs.

The lack of communication between users and IT teams plays a decisive role. It is common to find that employees are unaware of the existence of an IT charter and company rules and regulations, which leads some employees to unintentionally ignore the security rules in force.

Finally, the ease of use of free tools, designed to be fast and frictionless, encourages their adoption. Conversely, professional solutions imposed by the company sometimes suffer from outdated ergonomics, which makes them more difficult to adopt.

Need to optimize your business applications ?

We’re happy to help !

How can you combat shadow IT in your company ?

To reduce shadow IT in the long term, companies must combine education with monitoring solutions. It is important to understand that in most cases, employees are not acting maliciously: they are primarily seeking to accomplish their tasks as efficiently as possible.

Rcarré therefore proposes a two-step approach: first, providing guidance and raising awareness among employees, and second, monitoring and detecting risky behavior.

It is recommended that you establish a culture of vigilance within your company. This involves regularly raising awareness of the risks associated with the use of unapproved digital tools.

Implementing an IT charter, signed by employees, is a good starting point. This document commits everyone to following best practices for using the information system and to only using solutions approved by the IT department. It is also recommended to clearly communicate the list of authorized software and to establish a validation process for any new requests. This dialogue must be accompanied by regular exchanges between business managers and technical teams to ensure that the solutions deployed truly meet the operational needs of the various teams.

This educational aspect must be supplemented by technical measures, which consist of accurately mapping the software, data flows, and services used in the company in order to identify areas not supervised by your IT team.

The application of DNS filtering then blocks access to unauthorized online platforms by restricting your employees’ access to a predefined list of domain names.

In addition, integrating a data loss prevention (DLP) solution helps monitor data exchanges. For example, this system detects the insertion of data into a prompt during a conversation with an AI agent, or the sending of a confidential document to an external recipient.

When it comes to using artificial intelligence, there is an alternative: private LLMs, hosted on sovereign and controlled servers. The information shared remains within the company, which significantly reduces the risk of exploitation by third parties.

Finally, using a CASB (Cloud Access Security Broker) solution provides complete visibility into employees’ use of online services and allows for the encryption of exchanges between the user and the platform. By combining user awareness, tool governance, and the implementation of technical monitoring devices, companies can regulate unauthorized digital use without stifling innovation.

Rcarré supports you in the day-to-day management of your corporate IT systems.

Using our software tools, our experts detect risky behavior and alert users and management before data is shared outside the company.

Want to learn more? Contact an Rcarré expert today.

Articles similaires

Signature electronique

#Digital

21/12/2022

Simplify Your E-Signature Processes with Rsign !

Read the article
Performance appli metiers

#Digital

10/05/2022

How to ensure the performance of your business applications ?

Read the article
Article Stockage S3

#Digital

#Services IT

25/02/2025

[Did you know]: Why fast S3 storage is a good idea ?

Read the article
Voir tous les articles

How can we help you?

Fill in this form and we will get back to you as soon as possible.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
This field is hidden when viewing the form