In business, there is a hard truth: Some employees follow the rules, and others are willing to take risks and create shortcuts to complete projects and improve productivity. In many cases, employees do not wait for IT approval when these challenges occur and take the matter into their own hands. Typically, departments will assume their own responsibility for the project and license technology and tools that span from procuring software to hosting servers, embracing cloud services (XaaS) and even connecting personal devices to sensitive networks. 

What many leaders don’t realize is that this behavior often branches into two seemingly similar but distinct challenges with two distinct definitions: Shadow IT and BYOC (Bring Your Own Cloud). Both exist in the gray zone of enterprise information technology and security, and understanding the difference is the first step toward mitigating their risks successfully. To begin, let’s break down these concepts and the strategies needed to eliminate their impact within an organization. 

What is Shadow IT? 

Shadow IT is any tech resource, hardware, software, or asset that employees use without formal approval from the organization’s IT or security teams. Historically, Shadow IT often referred to physical assets like USB devices, rogue wireless networks, or devices used for the operation of the business but not authorized or maintained by the approved governing body within an organization. This scope has changed in recent years to include digital services as well. This includes collaboration applications like Slack, cloud storage services like Dropbox, or even development platforms like GitHub that exist outside of IT and InfoSec governance. 

The Risks of Shadow IT: 

• Data leakage: Sensitive files stored in unmonitored locations become prime targets for cyberattacks. 

• Lack of visibility: Governance, risk and compliance teams cannot document and protect unknown locations of sensitive information. 

• Compliance violations: Regulatory mandates, such as GDPR or HIPAA, can be breached if confidential data flows into unauthorized environments or is used for inappropriate business functions. 

• Poor patching and security: Shadow IT applications may not follow the organization’s patch or configuration management workflows, creating unnecessary vulnerabilities. 

What is BYOC (Bring Your Own Cloud)? 

BYOC takes the principles of Shadow IT and ties them directly to cloud-based services and storage systems. These could be any type of XaaS solution, where “X” refers to solutions, platforms, or infrastructure as a service (and not “X” as in the previous social media platform known as Twitter). With BYOC, employees implement their preferred cloud solutions and ignore the risks, management and security for any information stored, shared, or processed — including sensitive information that might be under regulatory compliance for the organization. 

While Shadow IT encompasses any unauthorized technology, traditionally from an asset perspective, BYOC narrows the focus to XaaS cloud usage. If you consider ChatGPT, e-notebooks like reMarkable, or even iCloud syncing services, sensitive corporate information could exist or even be processed well outside the realm of IT and InfoSec teams. The issue with BYOC is not just about data loss but rather data governance and fragmentation. For example, not knowing what data exists outside of the organization, how sensitive the information is, and if a security event occurs, whether the rogue information was indeed the source. 

The Risks of BYOC: 

• Cross-environment data proliferation: Sensitive data might move between personal devices, unmanaged cloud services and even insecure external collaborators, potentially in foreign geolocations. 

• Weak access control: Personal cloud platforms often lack robust multi-factor authentication (MFA), enterprise-grade security controls and activity logging to identify inappropriate behavior. 

• Limited visibility into third-party apps: Many cloud services integrate with third-party browser plugins and agent AI technology, increasing the organization’s attack surface. 

Why Shadow IT and BYOC are Similar but Different 

Shadow IT and BYOC both emerge from an employee’s drive to be efficient, but they are not identical. Shadow IT is an overarching term for any unauthorized asset or solution, while BYOC specifically refers to cloud resources and services. Some may argue that BYOC is a subset of Shadow IT, but by definition, BYOC may not be connected to corporate systems like Shadow IT, yet still contain information outside of corporate reach. Again, consider an employee using ChatGPT on a personal system to create content or develop code for the business and bringing that information back into the organization via almost any medium, including email. 

In addition, many organizations may claim to have solved Shadow IT issues with strict tooling and governance. However, BYOC can easily elude corporate policies and become both a technology and policy issue with no apparent solution since it is outside the scope of the organization’s IT practices. 

Mitigation Strategies 

Truthfully, both concepts create blind spots, challenge data security policies and can put sensitive information at risk. But the solutions to each vary slightly due to their distinct technical scope. 

As a matter of policy, organizations should be wary of shutting down employee autonomy entirely. This generally causes discord and trust issues if a heavy hand is enforced. The key is striking the right balance between security, management, risk and usability: 

1. Implement Shadow IT discovery tools: Solutions like CASBs (Cloud Access Security Brokers), web content filtering and privileged access management technology can help detect and manage unapproved applications and cloud usage based on network traffic and privileged activity. 
2. Encourage approved BYOC based on policy: In lieu of banning all third-party cloud services altogether (the heavy hand), provide employees with a list of pre-vetted apps they can use safely. Most importantly, provide a process to approve, review and deprecate cloud services outside the scope of IT. 
3. Apply the principles of zero-trust: Require strong identity verification with measurable confidence, strong encryption and endpoint controls to mitigate data loss, asset health and automation for asset quarantine. 
4. Train employees: Many BYOC and Shadow IT risks come from employees seeking productivity shortcuts who do not know how to get a new system approved or disagree with IT and security teams’ decisions. Train them to recognize security risks, ask key questions—such as whether an application supports MFA—and ultimately recommend safe alternatives. 

The rise of Shadow IT and BYOC is not a problem you can eliminate overnight, nor should you try. These behaviors reflect the modern employee’s desire for flexibility, speed and collaboration. The real question is whether organizations can leverage that need without compromising security or violating the law. The answer lies in visibility, proactive policies and the understanding that even the most productive shortcuts can come with risks to the organization. 

Understanding the difference between Shadow IT and BYOC, although subtle, requires different policies, procedures and technology to resolve. As with all cybersecurity issues, education is key and tackling each of these problems should be top of mind for all executives and cybersecurity professionals.