Executive summary
- Shadow IT – the practice of staff using unapproved apps and tools without IT’s knowledge – is one of the fastest-growing security risks facing UK businesses in 2026.
- The danger isn’t only wasting money on duplicate software. Unauthorised apps can expose your business to data breaches, compliance failures, and ransomware.
- Microsoft Defender for Cloud Apps can help you discover, assess, and control thousands of cloud applications across your business, and works seamlessly alongside Microsoft 365 Copilot.
Introduction
Cast your mind back to the last time someone in your office said, “I just use [app name] for that – it’s much easier”.
Maybe it was a project manager who’d started using a free task-tracking tool because the company system was “too slow”. Or perhaps it was someone in finance quietly using a browser-based PDF converter to process invoices. Or the sales team messaging about deals in a WhatsApp group because “email takes too long”.
All of these situations have something in common: they involve staff using software that your IT team has never heard of, never approved, and certainly never secured.
That’s Shadow IT. And while it might sound like something from a cyberpunk thriller, the reality is a lot more mundane – and a lot more dangerous.
What exactly is Shadow IT?
Shadow IT is any piece of software, application, or cloud service being used within your business without the knowledge or approval of your IT department.
It happens for entirely understandable reasons. People want to get their jobs done. If the approved tool is clunky, slow, or simply doesn’t exist, they’ll find something that works. A quick Google search, a free account, and they’re off and running. No paperwork. No IT ticket. No problem.
Except, of course, there are quite a few problems.
The risks go well beyond a wasted subscription
The most obvious concern people raise about Shadow IT is cost: paying for the same functionality twice without realising it. That’s a real issue, but it’s probably the least of your worries. The more serious risks include:
- Data leaving your control. When a member of staff uploads a client contract to an unapproved file-sharing site, or pastes sensitive information into a free AI tool, that data has left your secure environment. You have no idea where it’s stored, who can access it, or whether it’ll be used to train an AI model. For UK businesses operating under GDPR, this is a compliance risk that could result in significant fines.
- Unpatched vulnerabilities. Approved software is managed, monitored, and updated by your IT team. Shadow IT isn’t. If a rogue app has a known security flaw, nobody is patching it. That’s an open door for attackers.
- Compromised credentials. Many free tools require sign-up with a work email address, and people often reuse passwords. If that third-party tool suffers a data breach, an attacker could have credentials that also work on your Microsoft 365 account.
- No visibility, no response. You can’t investigate a security incident involving a tool you didn’t know existed. If something goes wrong with an unauthorised app, your security team is flying blind.
- Compliance failures. Regulated industries – finance, healthcare, legal – have strict rules about where data can be stored and who can access it. A free cloud tool hosted on servers in an unknown jurisdiction could be a serious regulatory violation waiting to happen.
The scale of the problem might surprise you
This isn’t a niche issue affecting a handful of careless employees.
The vast majority of enterprise cloud usage is invisible to IT teams, with organisations typically running far more apps than they’re aware of. Microsoft Defender for Cloud Apps can detect and assess over 33,000 cloud applications – which gives you a sense of the sheer scale of the ecosystem that could be operating under your radar.
The rise of generative AI has made this considerably worse.
As we’ve written about before, the temptation for staff to use free, public AI tools is enormous. If you haven’t provided them with an approved option, they’ll find their own – and the data risks that come with that are significant. It’s exactly why we’re such strong advocates for Microsoft 365 Copilot as a safe, enterprise-grade alternative. When your team has access to a powerful AI tool that keeps data within Microsoft’s secure environment, the appeal of free public chatbots drops considerably.
How to bring Shadow IT under control
The good news is that this is a solvable problem, and you don’t need to play the role of IT police to fix it.
The starting point is visibility.
You genuinely cannot manage what you cannot see. The first step is to run a proper discovery exercise across your network to understand what’s actually being used. Microsoft Defender for Cloud Apps is designed exactly for this purpose – it maps your entire SaaS application landscape, assesses each app against more than 90 risk factors, and gives you a clear picture of where your exposure lies.
From there, you can make informed decisions: approve the tools that are genuinely useful and low-risk, restrict or block the ones that aren’t, and – crucially – ensure you have proper enterprise alternatives in place for the most common use cases. If staff are using a rogue AI chatbot because you haven’t deployed Copilot yet, that’s an opportunity, not just a problem.
Finally, don’t underestimate the power of communication.
Most Shadow IT isn’t malicious – it’s just people trying to do their jobs. If you explain the risks clearly, make the approved tools genuinely usable, and create a straightforward way for staff to request new tools through proper channels, you’ll find that compliance follows naturally.
We can help you see the full picture
If you suspect Shadow IT is a problem in your business – or if you simply want to know for certain – we can help you run a discovery exercise and build a clear plan to bring things under control.
Whether you want to explore Microsoft Defender for Cloud Apps, talk about deploying Microsoft 365 Copilot as a safe AI platform for your team, or simply get a handle on what’s running on your network, we’re here to help.
Speak to your Get Support Customer Success Manager or call our friendly team on 01865 594 000.