Shadow IT — the use of technology, software, and cloud services that have not been approved, procured, or monitored by the IT function — is one of the most underestimated sources of financial and operational risk in UK manufacturing today. It is also almost universal. In every manufacturer we work with at Bailey and Associates, we find shadow IT. The question is never whether it exists; it is how much it is costing you, and how much risk it is creating.
In this post, we explain where shadow IT comes from in manufacturing environments, what it actually costs, the risks it creates, and how a Fractional CIO approach can bring it under control without destroying the initiative and resourcefulness that created it in the first place.
What is shadow IT in manufacturing?
Shadow IT in a manufacturing business takes many forms. It includes the Excel workbook that the production planner built five years ago and that now effectively runs the scheduling function. It includes the WhatsApp groups that engineering teams use to coordinate shift handovers because the official communication tool is too slow. It includes the cloud storage account that the quality manager set up to share documents with a key customer because the company file server was too difficult to access remotely. It includes the SaaS subscription that the procurement team bought on a company credit card because IT said it would take three months to evaluate and they needed it now.
None of these things started as deliberate acts of defiance. They started as practical solutions to real problems that the official IT function either could not or did not solve quickly enough. That is the root cause of shadow IT in almost every manufacturing business we see: the gap between what operations needs and what IT can deliver.
The financial cost of shadow IT
The direct financial cost of shadow IT is almost always larger than manufacturers expect when they first look at it properly. For a manufacturer with 150–300 employees, the typical shadow IT spend we find sits between £25k and £75k per year — money being spent on unapproved tools, duplicate software, personal subscriptions billed to company cards, and cloud services that nobody in IT knows exist.
But the direct spend is only part of the cost. The indirect costs are often larger:
- Duplicated effort: When data lives in multiple unofficial systems, people spend time reconciling it, re-entering it, and arguing about which version is correct. In manufacturing, this shows up as production planners spending hours each week maintaining spreadsheets that should be handled automatically by the ERP.
- Missed licence consolidation: Companies routinely pay for the same capability in both their official stack and their shadow stack. When a Fractional CIO audits shadow IT, it is common to find £10k–£30k of redundant SaaS spend that can be eliminated immediately.
- Rework and errors: Manual processes built on shadow IT are error-prone. When a scheduling spreadsheet contains an error, it can trigger production runs for the wrong quantities, raw material orders that are not needed, and delivery commitments that cannot be met. The cost of a single serious error in a manufacturing operation can easily exceed the entire annual shadow IT spend.
- Staff time: Maintaining unofficial systems takes time that could be spent on higher-value work. Every hour a skilled engineer or planner spends maintaining a homemade database is an hour not spent on process improvement, quality, or customer delivery.
The risk cost of shadow IT
Beyond the financial cost, shadow IT creates three categories of serious risk in manufacturing environments.
Cybersecurity risk
Unapproved cloud services and personal devices are the most common entry point for cyberattacks in manufacturing. When an employee uses a personal Dropbox account to share production drawings with a supplier, or installs an unapproved remote access tool on a production PC, they create a security gap that your IT team does not know about and therefore cannot protect against. Manufacturing is one of the most targeted sectors for ransomware precisely because these gaps are so common.
Data protection and compliance risk
Shadow IT almost always involves data leaving the control of the business. Customer data, production data, quality records, and financial information routinely end up in personal cloud storage, unapproved collaboration tools, and consumer-grade applications that have no data processing agreements in place. Under UK GDPR, this creates material regulatory risk. Under sector-specific standards like TISAX or ISO 27001, it can jeopardise certifications that customers require.
Business continuity risk
When critical business processes depend on systems that only one person built and understands, you have a single point of failure. When that person leaves, is ill, or is on holiday, the process breaks. We have seen manufacturers lose entire days of production because a key scheduling spreadsheet was corrupted and the person who maintained it was unavailable. This is not a theoretical risk — it is a regular occurrence in plants where shadow IT has been left unchecked.
Why telling people to stop does not work
The instinctive response to shadow IT is to ban it. Issue a policy, tell people to stop using unapproved tools, and enforce compliance. This approach almost always fails, for a simple reason: it addresses the symptom without addressing the cause.
If the production planner is maintaining a scheduling spreadsheet because the ERP does not give them the visibility they need, banning the spreadsheet does not give them that visibility. It just forces them to make decisions with worse information, or to find a new unofficial tool that IT does not know about yet.
The right approach is to understand why shadow IT exists — what needs it is meeting that official systems are not — and then make a deliberate decision about whether to bring those needs into the official IT roadmap or to accept and manage the unofficial solution within a defined framework.
How to bring shadow IT under control
Bringing shadow IT under control in a manufacturing environment requires four things done in sequence.
1. Audit and map what exists
You cannot manage what you cannot see. The first step is a comprehensive audit of all technology in use across the business — not just what IT procured and manages, but what every team and individual is actually using to do their job. This includes SaaS applications, cloud storage, communication tools, custom spreadsheets that function as systems, and personal devices used for work purposes.
This audit is best led by a Fractional CIO who can conduct it without the political friction that sometimes arises when internal IT tries to identify tools that departments have been hiding from them.
2. Categorise and risk-assess
Not all shadow IT is equally risky. A team using an unapproved project management tool to track internal tasks is a different level of risk from engineering using a personal cloud storage account to share design files with suppliers. Each item identified in the audit needs to be categorised by the type of data it handles and the risk it creates, so that response can be prioritised accordingly.
3. Decide: adopt, replace, or retire
For each item of shadow IT, there are three possible responses: adopt it formally (bring it into the approved stack with proper procurement, security review, and support), replace it with an official capability that properly meets the underlying need, or retire it because the need it was meeting can be met another way. The decision should be made on the basis of business need and risk, not IT preference.
4. Fix the underlying IT delivery problem
Shadow IT is a symptom of IT delivery failure. If operations teams are routinely going around IT to solve their problems, it is because IT is too slow, too bureaucratic, or too disconnected from operational reality to meet their needs. Fixing this requires changes to how IT engages with the business — faster decision-making, clearer processes for requesting new tools, and a genuine commitment to solving operational problems rather than just maintaining existing systems.
This is precisely where a Fractional CIO from Bailey and Associates adds consistent value. We sit between IT and operations, understand both worlds, and redesign the relationship so that the business gets the tools it needs through channels that are secure, compliant, and cost-effective.
FAQs: Shadow IT in UK manufacturing
How much shadow IT does the average UK manufacturer have?
In our experience, manufacturers with 100–500 employees typically have between 20 and 50 unapproved applications or tools in active use across the business, representing £25k–£75k of unmanaged annual spend and significant security and compliance exposure.
Is shadow IT illegal?
Shadow IT itself is not illegal, but it frequently creates legal risk. Using unapproved tools to process customer data without appropriate agreements in place can breach UK GDPR. Sharing controlled technical data via unsecured consumer services can breach export control or customer contractual requirements.
How do we find shadow IT we do not know about?
A combination of network traffic analysis, expense audit, and structured interviews with department heads will typically surface the majority of shadow IT within a manufacturing business. A Fractional CIO can lead this process objectively and without the political friction that often arises when internal IT investigates.
Can we just ban employees from using unapproved tools?
Banning without replacing the underlying capability rarely works. It drives shadow IT further underground rather than eliminating it. The sustainable approach is to understand what needs are being met by unofficial tools and address those needs through approved channels.
How long does it take to bring shadow IT under control?
A thorough shadow IT audit and remediation programme for a mid-sized UK manufacturer typically takes three to six months. The financial savings identified usually more than offset the cost of the programme within the first year.
