Microsolve Business IT Insights

The Security and Data Risks of Shadow IT

Written by Dale Jenkins | 12 April 2025 8:30:00 PM

Unapproved Tech - The Silent Threat to Australian Businesses

Shadow IT isn’t just about faux efficiency—it’s a gaping hole in your cybersecurity. When employees use unvetted tools, they might accidentally expose sensitive data or violate privacy laws. This is especially critical given strict regulations like the Australian Privacy Act (2024) and mandatory data breach reporting now required in sectors handling sensitive data such as financial records, health information and information pertaining to minors.

Where IT departments are bound to comply with corporate policy on such things as data encryption, credential management, data backups and data sovereignty, Shadow IT, by its very nature has no such restrictions opening businesses to the very threats that corporate policies are written to avoid.

Let us explore these risks more fully.

The Business risks from Shadow IT

Data Breaches

Below are the four most common risk Shadow IT factors contributing to Data Breaches - such as that experienced by Latitude Financial in 2023.

  1. Unsecured Access Points: Unsanctioned apps or cloud services often lack enterprise-grade security features like encryption or multi-factor authentication. For example, employees using personal Google Drive accounts for sensitive data might inadvertently set file permissions to "public," exposing confidential client details.
  2. Lack of Visibility: IT teams can’t monitor or patch vulnerabilities in tools they don’t know exist. A 2025 survey found 41% of employees use technology invisible to IT, leaving gaps like outdated software or unpatched APIs open to exploitation.
  3. Insider Threats: Disgruntled employees or contractors with access to shadow tools can exfiltrate data easily. For instance, a salesperson using an unauthorized CRM might export customer lists before resigning.
  4. Third-Party Risks: Shadow IT often involves third-party apps with weak security practices. In 2024, 68% of organizations had exposed shadow APIs, which hackers can exploit to steal data

The Australian education sector is particularly at risk, with 42.8% of workers ADMITTING to using unauthorised cloud services like Dropbox or personal email for work. In one case, a Melbourne university discovered staff storing student grades on an unsecured personal drive, risking breaches of the Privacy Act! 

Credential Management

Shadow IT doesn’t just introduce rogue software—it creates a domino effect of credential mismanagement that hackers exploit. When employees use unauthorised tools, they often bypass secure credential practices, weakening your organisation’s defenses. Here’s how it happens and why it matters:

  1. Unsecured Credential Storage: Employees using Shadow IT often store passwords in risky ways—like browser autofill, spreadsheets, or personal password managers—to juggle multiple logins. For example, a healthcare worker might save credentials for an unauthorized patient portal in their browser, exposing them to keyloggers or phishing attacks.
  2. Password Reuse: A 2025 study found 65% of remote workers reuse passwords across personal and work accounts. If a Shadow IT app is breached, hackers can exploit the same credentials to infiltrate approved systems.
  3. No Central Oversight: IT teams can’t enforce password policies (e.g., complexity rules, rotation) on tools they don’t control. A Melbourne marketing agency discovered employees using a freelance platform with weak, never-changed passwords, risking client data
  4. Mind the MFA "Gap": While multifactor authentication (MFA) is a cornerstone of modern security, Shadow IT often bypasses it entirely - while approved apps may enforce phishing resistant MFA such as FIDO keys, Shadow IT tools may only support SMS, or even be configured for "convenient" access with MFA disabled!
  5. Dark web leakage: Shadow IT tools are often implemented in a "quick and dirty" manner and rarely afforded disciplined update and patch routines, leaving them highly exposed to credential theft, or worse still, hosts for info-stealing malware that acts as a conduit for the leaking of valid corporate credentials directly to Dark web hacking forums.

System Hijack

Shadow IT isn’t limited to rogue software—it also includes risky DNS and domain management practices that leave organisations vulnerable to system hijacking. When employees bypass IT protocols to register domains or manage DNS records, they create openings for attackers to hijack websites, email services, and CRM platforms. Here’s some local examples of how this happens in practice:

  1. Unauthorized Domain Registrations: Marketing or sales teams might register domains for campaigns using unapproved registrars (e.g., GoDaddy instead of IT-managed providers). These domains often lack security controls like DNSSEC or multi-factor authentication (MFA), making them easy targets for hijacking.
  2. DNS Misconfigurations: Shadow IT teams may skip critical DNS safeguards. For example, misconfigured SPF (Sender Policy Framework) records allow attackers to spoof corporate emails. In 2021, a managed service provider (MSP) in Australia applied overly permissive SPF rules for 190 organizations, enabling cybercriminals to send phishing emails from legitimate domains.
  3. Lapsed Domain Renewals: Departments managing domains independently often forget renewals. Expired domains are re-registered by attackers and weaponized for phishing. Guardio Labs’ SubdoMailing campaign hijacked 72 expired Australian domains in a single day in 2023, using them to send millions of spam emails.
  4. Shadowed Subdomains: Attackers compromised long-standing Australian domains like barwonbluff.com.au and brisbanegateway.com, creating malicious subdomains (e.g., bancobpmmavfhxcc.barwonbluff.com.au) hosted on Russian servers. These subdomains hosted fake Microsoft login pages, harvesting credentials from unsuspecting users.
  5. CRM Hijacking via Expired Domains: A Sydney-based marketing agency let its campaign domain lapse, which attackers re-registered and linked to a cloned HubSpot CRM. The hijacked CRM collected client data for months before the breach was detected.

Data Sovereignty

Shadow IT often leads to data being stored in foreign cloud services, creating sovereignty risks that conflict with Australian laws. Such unsanctioned tools expose businesses to legal, financial, and reputational harm, for example:

  • The US CLOUD Act: allows US authorities to compel American cloud providers (e.g., AWS, Microsoft) to disclose data stored anywhere globally, even if it violates Australian privacy laws (there are, however, specific Privacy protections in the Australia-US Cloud Act Agreement that significantly restricts what, how and by who data can be accessed)
  • Chinese Intelligence Laws: require domestic companies to share data with government agencies upon request, posing risks for Australian firms using tools like TikTok for marketing.
  • Healthcare Requriements: Storing patient records in unapproved clouds may breach the Health Records and Information Privacy Act 2002.
  • Financial Data Storage: Using unauthorized CRMs could violate APPs by failing to protect client financial data.

 

Specific Challenges

The below are examples of specific employee challenges that are likely to be encountered when investigating Shadow IT "deployments" - best advise, be prepared, know what the corporate "rules" are and have alternate solutions available!

But it's my Device

When employees push back with “It’s my device—I should choose what I use,” they’re often prioritising convenience over security. However, in regulated industries like aged care, healthcare, and professional services, this mindset can expose organisations to significant risks. Here’s how to address these concerns while maintaining compliance and fostering collaboration.

1. Acknowledge the Concern, Then Educate

Start by validating the employee’s perspective:
“We understand that using familiar tools can boost productivity, but our policies exist to protect both you and the organisation.”

  • Re-inforce Policies Provided During Onboarding - Set expectations early by integrating governance into onboarding:
  • Written BYOD Agreements: Require employees to sign policies outlining security measures (e.g., mandatory MFA, remote wipe permissions) and consequences for non-compliance.
  • Interactive Training: Replace dry documents with engaging modules. For example:
    • “What’s the risk?” quizzes using scenarios like phishing attacks via personal devices.
    • Video walkthroughs of approved tools (e.g., Microsoft Teams vs. unauthorized Slack channels)

2. Offer Secure Alternatives

Provide flexibility within guardrails:

  • CYOD (Choose Your Own Device): Let employees select from pre-approved devices with built-in security controls (e.g., encrypted storage, managed updates).
  • Sandbox Environments: Allow testing of new tools in isolated settings if they meet compliance standards

3. Enforce Consistently

Policies only work if applied uniformly:

  • Automated Enforcement: Use MDM solutions to block unauthorized apps and enforce password policies.
  • Consequences: Clarify that repeated violations may lead to device restrictions or disciplinary action.

Phrase for Pushback:

“We appreciate your initiative, but our policies apply to everyone to ensure fairness and protect the organisation. Let’s find a solution that works within these guidelines.”

 

I work faster with this tool

When employees insist, “I work faster with this tool,” they’re often prioritising efficiency over security and compliance. While their intentions may be good, unapproved tools can introduce serious risks. Here’s how to address this concern while fostering collaboration and maintaining governance standards.

1. Acknowledge the Productivity Concern

Start by validating the employee’s perspective:

“We understand that finding the right tools can make your work easier and faster. However, our policies exist to ensure that the tools you use are secure, compliant, and beneficial for the entire organisation.”

2. Reinforce Policies During Onboarding

Prevent Shadow IT from becoming a problem by addressing tool usage early:

  • Tool Approval Process: Clearly outline procedures for requesting new tools during onboarding. For example, explain how employees can propose alternatives if they feel approved tools are slowing them down.
  • Interactive Training Modules: Use real-world examples to show the risks of unapproved tools. For instance:
    • “What happens when a free tool is breached?” scenarios highlighting data leaks and compliance penalties.
    • Comparisons between approved tools (e.g., Microsoft Teams) and risky alternatives (e.g., WhatsApp for work communication).

3. Align Tool Usage with Corporate Governance Frameworks

Explain that tool restrictions aren’t arbitrary—they’re tied to broader governance goals:

Risk Mitigation: Shadow IT expands the attack surface, increasing the likelihood of breaches. A 2025 report found that 41% of employees use unauthorized tools, creating gaps in IT oversight.

Regulatory Compliance: Governance frameworks like ISO 27001 require strict controls over software usage and data storage.

Stakeholder Trust: Clients expect businesses to protect their information using secure systems. Breaches linked to unapproved tools can erode trust and damage reputations.

4. Offer Secure Alternatives That Match Productivity Needs

Rather than outright rejecting an employee’s preferred tool, offer secure alternatives that meet their needs:

  • Internal App Store: Create a library of pre-vetted tools that employees can choose from based on their workflows. For instance, a Sydney marketing agency reduced Shadow IT by 70% after introducing an internal app store featuring approved software like Xero and Slack.
  • Sandbox Testing Environments: Allow employees to test new tools in isolated environments where IT can evaluate security features before approval.

5. Collaborate on Solutions Instead of Enforcing Top-Down Restrictions

Employees often turn to Shadow IT because approved systems don’t meet their needs or are perceived as inefficient. Engage them in discussions about their challenges:

  • Ask Questions: “What specific features does this tool have that you feel are missing in our current systems?” This opens the door for IT teams to explore ways to enhance existing platforms or approve new ones securely.
  • Highlight Approved Tool Benefits: Demonstrate how sanctioned solutions integrate better across departments and offer enterprise-grade support that free or unapproved apps lack.

6. Enforce Policies Consistently Across Teams

Policies must apply uniformly across all departments to avoid favoritism or confusion:

  • Automated Enforcement Tools: Use SaaS management platforms or Cloud Access Security Brokers (CASBs) to detect unauthorized apps and enforce usage policies automatically.
  • Consequences for Non-Compliance: Clearly communicate potential repercussions for repeated violations, such as restricted access or disciplinary measures.

Mitigation Strategies

Apart from the usual corporate policies to govern what is considered acceptable, the one approach that seems to come up trumps more often than not is ensuring the key people within your Organisation know:

  • HOW to request access to a tool
  • WHO has the authority to approve access; and
  • WHAT the expectations on the evaluation process are

Having accessible and consistent answers to these key questions provides a simple framework that minimises the need for team members to seek out Shadow IT solutions.

 
View full post