At many organizations we regularly see users making use of various tools and resources that have no official place within the company’s IT policy, for example Whatsapp, Dropbox or WeTransfer. An app can be downloaded really quickly and a Gmail or Dropbox account created in just a few clicks. No matter how harmless it may seem, this shadow IT can pose a major threat to your organization, not only from a security point of view, but also concerning GDPR.


Such a development of Shadow IT often arises as a consequence of ignorance. Employees might not be aware of the possibilities already offered by the company to communicate or to share files. Or they might not be clear in what way requests ought to be filed and so they set something up themselves. This could be a team that creates a Whatsapp group as an alternative for Teams or colleagues that set up a Dropbox environment because they are not aware of the possibilities offered by SharePoint Online. It might seem to be all very innocent, but as a company you will have no control over the data that is being exchanged or the files being shared.

Guaranteeing compliancy

The objective for an IT department should be to properly facilitate your people in such a way that they are fully aware of the tools and applications available within the organisation and how they can best be used. This is the only way that you can guarantee that your IT environment is compliant with the company’s IT standards, provide adequate monitoring of your environment, and support and get a grip of your security and costs.

Tips to prevent shadow IT


Make sure that people are aware of the possibilities offered by your organization’s IT environment and how they can use it correctly. Offer different forms of training; this can vary from one-on-one coaching to webinars, and from a smart online help tool to gamification.


Make sure that people are aware of the IT policy. It is obviously stated in the contracts signed by your employees, however, in practice, that was long ago and not everyone is always familiar with the exact content. You could perhaps try to elaborate further on this policy and the rules that are discussed in the IT section in a different way, making sure that your employees are aware of the risks of not complying with this policy. You could, for example, point out the dangers of phishing, email scams, or unknown USB sticks.

Technical measures

You could also implement some appropriate technical measures. But be sure to make them accessible in order to not scare off your employees. For example, you could consider using a secure line, data traffic encoding, or multi-factor authentication. You could also implement a system that recognizes when someone wants to, for example, send credit card information or a BSN number (citizen service number) by email. You could then advise the relevant person to avoid doing that or you could simply block the email from being sent.

Match your system to the wishes of your employees

But whatever measures you implement, you will always have to deal with the vulnerabilities that come with your employees’ actions. So it is therefore best to make sure that your system fully incorporates your employees’ wishes or else people will find their own solutions. This is very undesirable from a security point of view and it will lead to extra costs. And these costs are not limited to those a department will have to pay to purchase its own tools and solutions, but also include the costs of resolving cyber incidents or possible fines for violating the GDPR.