7 minute read 24 Jul 2023
Man from personal point of view playing with the light

How to bring light to shadow IT: third-party solutions

By Jake Basile

Manager, Consulting, EY Sweden

Protecting clients from the “what if?” Certified CISSP, CCSP, CISM, CISA, CRISC, CFE and AMBCI. Specializing in organizational resilience, crisis, disaster, and business continuity management.

7 minute read 24 Jul 2023
Related topics Cybersecurity Risk Consulting

Exploring the extensive reliance on unmanaged third-party solutions in organizations worldwide and the associated risks.

In brief

  • Cyber risks surrounding shadow IT continue to grow due to the ease of access to alternative solutions.
  • Conventional third-party risk management procedures must be expanded to capture risks faced due to the increasing use of third-party solutions.

Drivers for the extensive dependency on third-party solutions

Organizations worldwide are increasing their reliance on third-party solutions. This shift can be attributed to the growing number of outsourcing arrangements and the increasing use of the cloud. There is a move to do more with less and this is causing organizations to turn to third-parties to stay competitive. This reliance has vastly increased the risks associated with privacy of customer data, sub outsourcing or using chains of service providers, and exposure to single points of failure resulting in loss of availability. 

Our latest Global Third-Party Risk Management Survey shows that 38% of respondents have encountered a data breach caused by a third-party in the last two years. More than half of the respondents (52%) have had an outage caused by a third-party in the last two years and only 8% of their third-party population were assessed.

The interconnected landscape of today’s business environment poses a serious risk of disruption that can result in a significant loss of revenue. The October outage of a large social media player that caused a revenue loss of ~US$66m is a case in point.

Organizations need to evaluate the ability of their offshore presence and third-parties to continuously support critical functions such as IT, human resources, payroll, financial reporting, cybersecurity and more. Further, unapproved third-parties (shadow IT or Business Managed Applications (BMAs)) require evaluation as SLAs may not exist, which could hinder the availability of services from the primary organization.

Ways of working in the era of technology

With approximately half of the employers worldwide instituting remote working policies over the last two years, new communication technologies have become indispensable for daily work. Video conferences are at times easier than in-person meetings, instant messaging is now preferred over picking up the phone, and collaboration has become vastly easier across dispersed offices. Third-party technologies have enabled us to embrace this hybrid lifestyle; however, the suite of communication tools easily available can pose risks if appropriate due diligence is not performed.

Similarly, agile working, collaboration and coordination technologies have been widely adopted recently. ERP software, digital whiteboards and Kanban boards are a few good examples. The surge in the number of collaborative technologies in recent times has resulted in approximately 200 “well-known” tools available for users to easily download and use within an organization. With no signs of slowing down, IT teams must keep on top of the use of any unapproved tools which may create vulnerabilities within the organization.

The use of shadow IT and BMAs

BMAs are applications that are not managed or administrated by the central IT department, but within the various business areas. There are BMAs that are known by IT and applications that IT is not aware of.

Shadow IT refers to software, systems, hardware and even infrastructure that is not managed within the organization. Generally, the IT department is unaware of their use within the organization, which means that there is usually a large gap between user reliance and available support over these technologies. Not too long ago, Shadow IT largely referred to the use of macros within an Excel workbook, and off-the-shelf software purchased from the store. But today, the term has rapidly transformed to include collaborative tools, social media, file-sharing apps within the cloud and any type of program downloaded to assist users in their day-to-day tasks. 

Users generally adopt Shadow IT not with malicious intent, but more so to enable an effective way of performing day-to-day tasks. In some cases, employees find the organization’s IT solutions ineffective, so they turn to technologies that do the job faster and more efficiently.

Some common examples of Shadow IT seen in the workplace include:

  • Communication on work devices using personal communication tools. 
  • Use of third-party applications to improve productivity and collaboration. 
  • Use of personal physical devices (USB drives, external drives, unsanctioned BYOD (Bring Your Own Devices)).
  • Use of cloud storage.

While shadow IT can enable users to quickly and efficiently get the tools needed to support tasks, they also pose significant risks, including:

  • Security gaps: If the IT department isn’t aware of the technologies being used across the organization, then there is no guarantee on the security of these technologies. This includes consideration for business continuity and disaster recovery management. Vulnerabilities can also easily be introduced into the organization’s infrastructure due to this oversight.
  • Application sprawl: The continuous adoption of new systems and technologies (without the removal of older ones) results in application sprawl. This can prohibit an organization from saving space, conserving resources and also increases security risks.
  • Collaboration inefficiencies: While users leverage unapproved software to improve efficiency, it could result in quite the opposite. These software and applications, when installed, could be in conflict with the existing corporate infrastructure.
  • Lost control and visibility: Without full knowledge of the systems and technologies that exist within the organization, the IT department will be unable to ensure the safe use of each of these technologies.
  • Regulatory issues: Shadow IT can cause non-compliance with local privacy laws such as the EU GDPR, which could lead to legal penalties and reputational losses. Not knowing where and how these technologies process and maintain confidential data, results in non-compliance.
  • Lost data: Unapproved applications may not employ frequent data backups or any data backup at all. This could lead to the complete loss of any data held within.
  • Unmonitored availability management: As shadow IT applications are unapproved, they are consequently unmonitored in relation to availability management. IT departments cannot determine the performance of these systems and as a result, workarounds would not be in place for when they become unavailable.

In the ever-growing IT landscape, how do teams remain on-task when shadow IT fails?

Without SLAs in place for what may be critical shadow IT in the organization, what can be done when these systems or services go down? 

CIOs and IT managers can employ preventive and detective measures across the organization to promote a safe and transparent environment by taking the following steps:

  1. Understand the environment completely: Ask questions. Sit down with all your Business Unit Leads and find out why, for example, they might be using unapproved collaboration software, when the company already has their own communications software. Or why a particular communication tool is the chosen method to discuss work with colleagues in different time zones. Perhaps staff have downloaded a cloud storage service to share large files, as the current attachment size setting on your email service is too limiting. Try to understand the perspective of the users.
  2. List all services and systems through an impact analysis exercise: Once a comprehensive list of all shadow IT has been established, identify how widely each technology is used throughout the organization, by which teams, and to what extent. Include the risks which would stem from the unavailability or breach of each of these technologies and prioritize based on criticality.
  3. Embrace shadow IT or offer alternatives: Accepting shadow IT after considering the risks and governance can create opportunities for organizations to stand out from the competition. However, this acceptance should include the implementation of adequate processes and procedures that ensure the proper use of these technologies. Further, confidentiality, integrity and availability need to be considered throughout their use, to support the collective goals of the organization, IT and the end-users. Guidelines should be created to accommodate the needs of the business units, and IT should scale-up support

Conversely, understand why the end-users have ventured outside of the approved technologies and offer alternatives that may support their needs. The solution may already exist, but users could be unaware of its existence or where to obtain it. Or there might be safer solutions that could be added to the approved list following a cost-benefit analysis.

  1. Educate and monitor: It can be difficult for end-users to understand the risks that are introduced through the use of shadow IT. Awareness needs to be embedded throughout the organization through the communication of acceptable use policies, approved technology lists and more. This will ensure that the end-users understand the impact that downloading certain freeware can have on the organization, while also seeing which technologies currently approved by the organization could be safer alternatives. 

A frequent monitoring process can also be employed to ensure device usage is limited to approved technoloies.

  1. Seek assistance: EY teams look outside the process, include in-depth business impact analyses and ask better questions to identify all critical applications your business uses.  
    We help enable organizations to make the right decisions regarding the third-parties they elect to work with. We examine risk from all angles and provide insights into the appropriate solution, tailored for each organization.

Where to get help?

Our Third-party Risk Management (TPRM) function helps enable management to effectively identify, assess, monitor and control risks linked to third-parties – including those that are unknown to the organization. To effectively mitigate the risks posed by third-parties, organizations must establish a strong TPRM capability that prioritizes trust from the outset. Through our broad approach, EY teams offer enhanced, robust frameworks for assessing and managing third-party risks across the organization. We assist in the development and implementation of appropriate TPRM strategies based on each organization’s specific needs and circumstances. For more information on how to handle these risks, please visit this link.


Staying abreast of all critical third-party solutions, contractually or otherwise, is paramount to mitigate growing cyber risks – especially now when IT landscapes rely heavily on outsourced arrangements.

About this article

By Jake Basile

Manager, Consulting, EY Sweden

Protecting clients from the “what if?” Certified CISSP, CCSP, CISM, CISA, CRISC, CFE and AMBCI. Specializing in organizational resilience, crisis, disaster, and business continuity management.

Related topics Cybersecurity Risk Consulting