Shadow IT – minimize risks, identify opportunities, empower employees
Pascal Rieboldt
23. October 2025
Danger lurks in the shadows. But if you bring a company’s hidden software to light, you will also find interesting opportunities. Let’s take a differentiated look at shadow IT.
Shadow IT is a phenomenon that is both commonplace and unknown in many companies. Employees use tools such as Dropbox, WhatsApp or private cloud storage for their work without coordinating this internally with the administrators. This is convenient and the tools are usually free of charge – but in the worst case, using them can be expensive.
This is because the use of unauthorized tools poses security risks.
And many people are not aware of this.
A prominent example of the damage caused by shadow IT is the case of Hillary Clinton. She used a private email server during her time as US Secretary of State. She is said to have sent or received around 60,000 messages via it during this time – many of them with sensitive content.
The Clinton case thus became a symbol for the risks of uncontrolled IT use.
Conversely, the use of shadow IT can also end positively: The now widely used communication tool Slack originated as an internal, unapproved project and later became a global success story.
The examples show that shadow IT is an often underestimated risk. Although it can help to promote innovation, it can also open up security gaps. The decisive factor is how consciously companies and employees deal with it.
So let’s take a closer look at the topic.
What is shadow IT?
Shadow IT refers to information technology solutions that employees of an organization or company use without the IT department knowing about it.
Of course, these unauthorized software solutions are not all dangerous or a security risk. Nevertheless, they are a problem because their use could be a violation of internal company rules or even laws.
Shadow IT in figures
Why is shadow IT used?
The reasons for switching to unauthorized applications are usually that the official solutions are too complicated, slow or inflexible, or are missing altogether.
This is often the result of well-intentioned initiatives by departments or team members who want to increase their productivity. They then resort to this popular private application without being aware of the risks.
Typical examples of shadow IT in everyday working life:
- Use of private e-mail addresses for business purposes
- Installing unauthorized software
- Using file sharing services without security clearance to share project data
- Use of cloud storage without IT involvement (Google Drive, Dropbox)
- Use of chat and messaging apps (WhatsApp, Telegram)
- Use of SaaS services without approval (e.g. project management tools such as Trello or Asana)
Such unauthorized additions to the existing IT structure can lead to security gaps.
Increasing digitalization, more working from home and the use of personal devices have exacerbated the issue of shadow IT. In the rarest of cases, employees are acting maliciously – they just don’t know any better.
The aim here is to build up skills and raise awareness of the dangers.
Shadow IT: a coin with two sides
The proportion of unofficial tools in companies can only be estimated. It is estimated to be around 40 percent of all IT applications. This gives an idea of how widespread this phenomenon is. Not every unofficial application carries only risks; there are also benefits.
Opportunities & benefits
The scenario is usually similar: employees reach their limits in their day-to-day work and then look for a new or better tool. This largely unintentional breach of the rules promotes collaboration and efficiency in the short term. Teams find solutions together, communicate more directly or benefit from automated routine tasks. Shadow IT can also be a valuable indicator of innovation potential. It clearly shows: Where is there a need?
Two examples illustrate this.
Typical practical example: AI tools in everyday working life
Current studies show: AI tools are increasingly being used independently in day-to-day work without formal approval from the IT department. A typical scenario could look like this: An employee of an insurance company uses ChatGPT to develop an automated script for checking claims. Although this solution was developed outside the official structures, it is later officially adopted because it improves day-to-day work.
Real-life positive example: Slack – from by-product to company
The communication tool Slack, which is used worldwide today, was created because the team at game developer Tiny Speck was dissatisfied with the official communication applications. The solution: they developed their own program for team communication – without the approval of the IT department. This internal side project initially became a success story within the company, and later all over the world.
Shadow IT can therefore provide important impetus for innovation, provided it is used responsibly. Companies that support their employees’ own initiative can even benefit from it.
Risks & challenges
Shadow IT can be helpful, but it also harbors a number of risks that can be expensive in the worst case. In addition to financial consequences, there is also the threat of legal and organizational consequences.
Data security: Inadequate security is one of the biggest risks when using external systems. As a result, sensitive data can be transmitted unencrypted or stored on external servers.
Compliance violations: Strict rules apply to personal data and its processing and storage in this country. If, for example, tools are used whose servers are located outside the EU, their data protection standards often do not meet European requirements. In this case, the use of these tools may violate the General Data Protection Regulation (GDPR) or industry-specific supervisory guidelines (e.g. BaFin, BSI or MaRisk). In addition to fines, there is also the threat of reputational damage and a loss of trust, which can have a negative impact on the balance sheet.
Cybersecurity: If the unofficial software is not regularly updated and monitored, security gaps can arise. This can be exploited by cyber criminals. Phishing, ransomware and data leaks often occur where IT has no visibility of the systems in use and where there are therefore no central security protocols.
Lack of integration and loss of efficiency: Shadow IT is also a challenge from an organizational perspective, as the unauthorized tools are not integrated into the existing software framework. This often leads to data islands, redundancies and unclear process flows.
The use of different applications can make reporting, project management and IT support more difficult.
Companies should detect shadow IT at an early stage before it causes damage – through targeted training, technical controls and clear processes.
Legal aspects and industry-specific requirements
In addition to internal company problems, the use of shadow IT can also have legal implications. Data protection, labor and liability laws apply in particular to the processing of personal data.
Data protection law (GDPR & BDSG)
The General Data Protection Regulation (GDPR) applies in the EU. It requires companies to take technical and organizational measures to protect personal data. The use of some apps, such as private cloud services or messaging apps, may constitute a breach of the GDPR if there is no order processing or security check.
In the event of an emergency, there is a risk of severe fines as well as reputational damage.
Labor and liability law
Employees who deliberately violate internal IT guidelines and cause damage as a result risk warnings or personal liability.
Employers, for their part, have an obligation to provide clear IT guidelines and offer regular training. Otherwise, they may be accused of breaching their organizational or supervisory duties in the event of damage.
Industry regulations and supervision
How strictly the use of shadow IT is regulated depends heavily on the industry in question: This legal framework or special feature applies in these sectors:
- Finance and insurance: Shadow IT can be considered a compliance violation here. Reason: strict requirements of BaFin and the Minimum Requirements for Risk Management (MaRisk).
- Healthcare: Use of unauthorized software can endanger patient data and thus violate GDPR and §203 StGB (duty of confidentiality)
- Public sector/authorities: These are subject to special security regulations such as BSI basic protection and eGovernment laws. Private or non-certified tools are usually expressly prohibited.
- Industry & SMEs: In many companies, the use of unofficial software is handled less strictly as long as no personal data is involved – nevertheless, liability and confidentiality requirements (GeschGehG) may also apply here.
Practical examples: The risks of shadow IT
The legal and technical risks listed above are not theoretical – they have already led to real incidents on several occasions. These three prominent cases show how different the consequences can be:
Hillary Clinton
During her time as US Secretary of State, Hillary Clinton used a private email server for official communications. This was not part of the official IT infrastructure of the Ministry.
What began as a purely pragmatic solution developed into a scandal. The reasons:
- The private server was not sufficiently protected.
- Sensitive government data could therefore potentially fall into the wrong hands.
- The procedure also violated archiving and security guidelines.
Although no criminal consequences followed, the damage to trust was enormous and an example of how shadow IT can jeopardize credibility and security even at the highest level.
KordaMentha
The consulting firm KordaMentha had to publicly admit in 2023 that sensitive customer data was inadvertently made freely accessible. The reason for this:
- A cloud storage solution outside the central IT was used.
- The platform was set up independently – without a security check or central approval.
- An error caused the unintentional data release.
The company responded with training programs and stricter guidelines for cloud services to prevent similar incidents in the future.
Wirecard
Shadow IT can also be used specifically for manipulation and fraud.
Employees at Wirecard operated their own IT systems and servers in foreign business. These were not connected to the official accounting system. With the help of this shadow IT, fictitious sales and credit balances were reported. The consequences:
- Billions have been manipulated over the years.
- The control systems did not work because the shadow systems ran outside of governance.
- The fraud ultimately led to the collapse of the company.
Shadow IT can be used for criminal activities. Only clear transparency and compliance can prevent such risks.
Strategies against shadow IT
Shadow IT cannot be completely avoided – and doesn’t have to be, as the partially positive results show.
On the other hand, it makes sense to steer the use of new tools in the right direction and to curb uncontrolled growth with the right strategies. Employees are at the heart of these strategies. We support you in sensitizing your teams and actively involving them.
Create transparency
Instead of banning alternative IT solutions across the board, companies should understand why employees use shadow IT. Is there a new need or are the existing systems outdated?
Find out through regular feedback rounds, IT consultations or digital idea platforms.
Make targeted use of training offers
Regular training to build up IT skills for the tools already available is an effective way of preventing shadow IT. The training courses should be very close to the reality of work and address specific use cases from everyday working life.
“The IT solutions released by the company are often better than their reputation. Many employees may not even be aware of the possibilities of the software solutions and therefore fall back on shadow IT. This potential could be exploited through targeted training.” – Christian Gronowski, SAP learning concepts expert, ML Gruppe
Rely on awareness training and governance
In addition to technical training, it makes sense to sensitize employees to risks, for example through awareness programs on topics such as data security, social engineering or phishing.
In addition, companies should establish clear rules for the secure use of IT.
- Which tools are allowed?
- How is approval granted?
- Who is responsible for monitoring and training?
This clear governance structure creates security and personal responsibility in equal measure.
Combine different learning formats
A combination of different learning formats can be used to support IT security and compliance:
- E-learning modules for in-depth knowledge
- Microlearning units for a quick refresher
- Blended learning concepts that combine face-to-face and digital forms of learning
This allows employees to develop a digital routine – a crucial prerequisite for avoiding shadow IT in the long term.
Cooperation between IT, HR and compliance
Effective prevention against shadow IT can only be achieved through teamwork. IT departments, HR development and compliance should work together to consider all aspects that play into this issue: organizational, technical and, last but not least, human. When technology, organization and people pull together, trust is created – and this is where real IT security begins.
Conclusion: Knowledge is the key to secure IT use
Targeted training enables employees to become aware of the risks of shadow IT and to use existing digital tools safely and confidently. This enables them to communicate requirements clearly and contribute to secure and efficient processes.
We develop learning formats that work – practical, applicable and well-founded:
- IT training that makes applications secure.
- Targeted learning opportunities for SAP and digital tools that build skills.
- Modern e-learning and blended learning concepts that bring knowledge to life and motivate.
Our learning solutions are personal, approachable and effective in empowering employees and future-proofing companies.
We accompany you on your learning journey so that new things succeed and knowledge is transferred.
