I recently learned about yet another emerging data security issue with a name like something out of a James Bond movie: Shadow IT. (Who knew the world of IT was so insidious? BlackHat, Ransomware, the Internet of Things…. It’s like we’re living in the Twilight Zone.) While it might sound like a bespectacled IT guy in a trenchcoat tailing you on your morning run for lattes, it’s actually not so funny.

Back in the day, the IT department ruled the roost. That is to say, they were in charge of IT, they were in control of IT, and they were in the know about IT. Seems obvious right? Isn’t that their job? Well, yes, but it’s not so easy any more. Between the device explosion and BYOx, the cloud takeover, and the ever-growing number of high quality consumer file-sharing and productivity apps, the IT department rarely (if ever) knows everything that’s going on when it comes to an organization’s IT activities. Shadow IT refers to all the projects and apps that are being deployed within an organization, without the knowledge, approval, or management of the IT department.

We’ve been talking a lot about insider threats and unauthorized access. Skyhigh Networks Q4 2014 Cloud Adoption and Risk Report , which is based on 15 million users’ anonymous data (not surveys), found that the average company uses almost 900 cloud services, and the average person uses almost 30 – which is way more than IT departments are accounting for. The report also quantifies stolen login credentials, and uncovers a worldwide blackmarket where almost any company’s login credentials can be bought by shady folks who probably don’t want to login as you and gift you some bitcoins.

While shadow IT apparently sprung from employee impatience for new software (come on dude, I need those new Excel macros!), it’s now recognized as one of the biggest threats to data security, and growing. In fact, some estimates put Shadow IT spending as high as 40% of all IT spending. (Bet your CFO doesn’t want to hear that.)

So to recap. Shadow IT is any form of IT being used in an organization, outside of the management and control of the IT department. Which means all the data being exchanged and worked on in Shadow IT is unsecured. Which means… well, there may be a guy in a trenchcoat following your data around, trying to do something bad. Which means you need a solid data security plan to cover your back.

Do you have one?