A Definitive Guide to Shadow IT

If you want to know how many SaaS products you really use, this formula should get you close- Take the number of SaaS products you think you use, then double it.

In the 21st century, some companies have more SaaS tools than people.

As more employees work from home, the threat of Shadow IT is only getting larger. Employees use their personal email addresses to conduct business. The use of unsanctioned personal devices for work is on the rise (also known as bring-your-own-devices or BYOD).

More than 80% of employees admit to using unapproved SaaS applications on the job. This makes Shadow IT one of the biggest cybersecurity concerns today. 

The problem arises because any person from your organization can sign up for a SaaS product instantly without IT’s approval/knowledge. Unauthorized spending is only a small part of the problem. Shadow IT can link to other software products and exposes the business to data leaks and hacking risks.

What Is Shadow IT?

Shadow IT refers to information technology systems, devices, services, software, and applications that employees use without approval from the IT department. 

In other words, this catchall term covers any solution not known about and managed by the organization’s IT department. Physical devices like personal phones, flash drives, laptops, and backup drives can all pose threats. Even classical licensed software can be shadow IT, but most unauthorized software products are SaaS applications.

Here’s a more detailed explanation, if you are want to deep dive into this.

As the scope of available software products grows, so does the scope of potential shadow IT threats. Enterprises use 288 SaaS apps on average, making it difficult for IT teams to track them all down and control them. 

Why Does Shadow IT Exist?

As organizations continue to adopt DevOps and Agile methodologies, shadow IT is almost inevitable. Teams are focused on innovating continuously to meet quick release cycles. This leads them to seek quicker solutions and more efficient tools. Employees feel that they do not have the time to let IT approve tools before they start using them. 

Other departments are getting in on the action, too. With SaaS, a department can add a tool easily and roll it into their department expense budget. They don’t have to worry about going through IT or purchasing. 

It looks great on paper: spending $100 on the expense credit card instead of begging IT for $5,000 for a suite of licenses. But again, that’s precisely why companies lose track. Marketing is notorious for this, with apps like Constant Contact, Mailchimp, Unbounce, and more.

Remote work only makes this worse, and that is a trend that is likely to stay. 82% of company leaders surveyed by Gartner plan to continue allowing employees to work remotely. The shift from physical workplaces to remote work was sudden; and many organizations did not have time to adjust their tools and workflows adequately. 

Common Examples of Shadow IT

Some of the most common Shadow IT apps per Business Wire include note-taking, project management, communication, and file-sharing apps. Consider the following examples:

• Users might turn to cloud storage solutions like Dropbox or Google Drive to share files once they are no longer together in the office. 
• Many employees use Microsoft Office 365 to create, edit, and share files remotely. Sharing files is an important aspect of the need to stay connected while operating as part of a dispersed workforce.
• Communication apps like Slack, Skype, WhatsApp, and various VOIP solutions offer employees opportunities to stay in touch with each other. 
• Some employees also find it more difficult to stay organized when working from home, which is where productivity apps like Trello and Asana come into play. 

These common shadow apps are widely known, simple to sign up for, and relatively inexpensive. That said, they are still classified as shadow IT as they were installed without approval from the appropriate department.

Not all apps are as well known as the ones above. Thus, it becomes critical to understand and address the risks of shadow IT.

Understanding the Impact of Shadow IT

An IT department cannot know how many apps are being used without their knowledge without a SaaS management tool. These tools allow apps to be discovered. Post discovery, they cease to be shadow IT.

Post discovery, problems eventually come to the surface. The primary risks of shadow IT fall into four main categories, detailed below:

A. Failure to Manage Software Assets Appropriately

Technology leaders are tasked with creating cohesive strategies to achieve defined business goals. It is difficult to define relationships between systems and govern them efficiently when employees consistently add incompatible solutions to the mix. This problem is exacerbated by existing failures of traditional software asset management (SAM) to keep track of SaaS licenses.

The more shadow applications employees use, the more difficult it becomes for IT departments to achieve their shared purpose of empowering success. Each time an individual chooses their own tools and solutions instead of going through appropriate channels, the IT department loses more control. Eventually, IT departments become so out of touch with reality, that they can no longer offer effective guidance or build quality solutions.

B. Data Becomes Less Secure and Less Compliant

Manually managing the security and compliance of all of an enterprise’s SaaS apps may take dozens of hours each week. The worst thing? The time spent is not even the biggest loss.

Manual SaaS management dramatically increases the risk of exposure–21% of organizations have experienced cyber events because of unsanctioned technology. Shadow applications take cybersecurity decisions out of the hands of the experts and diffuse responsibility across the entire company (or at least the 80% or more who use shadow IT). It’s even more likely when unqualified employees make these types of decisions.

When the IT Department Loses Visibility, it Loses Control

Not only is there an increased risk that employees might make unwise decisions with unsecured technologies, but it also becomes harder for cybersecurity experts to craft a plan that accounts for all relevant technology.

As employees operate through channels that are unknown to the information technology team, they may unwittingly or intentionally share data in a way that is not appropriate. Such behavior risks the exposure of valuable data and may take the business out of compliance with regulations. 

Shadow IT Causes Compliance Problems

Consider a company in the medical industry that must remain HIPAA compliant. If one department installs an app without due diligence and copies data to a cloud server, it can create a bubble of exposed data that the organization has no control over.

Many roles may not have a direct regulatory interface. These employees need not be concerned with compliance and security as part of their job on a daily basis.

For such employees, signing up for a new tool like this is an easy mistake to make. The consequence? It can throw the entire organization out of HIPAA compliance.

C. Unknown Variables in Testing and Troubleshooting

The IT infrastructure of a modern business is already complicated enough without the introduction of unauthorized tools. 

The complex and interconnected nature of a company’s technology mandates proper testing when introducing new technologies. When employees add new applications before they fully understand the consequences, they make it possible for issues to ripple throughout the technology stack. For example, once IT loses sight of information flows because data gets siloed in disparate shadow IT apps, it becomes impossible to plan accordingly in terms of system architecture, capacity, and security.

As unintended consequences arise from third-party applications, they may not be diagnosed quickly because the information technology experts are not entirely informed. On the contrary, employees may recognize the problems with security or productivity but chalk them up to a failure by the IT department. By the time the true nature of these issues becomes apparent, they are causing significant problems for the business. Now it falls on the IT team to scramble to isolate and neutralize the offending app.

D. Reduced Visibility into IT Spend Management

Close to half of all IT spending at a company occurs outside of the IT department, which creates an obvious budgeting problem. Lack of visibility is one big part of the issue, as the rampant consumption of shadow IT makes it impossible to know how much the business is spending in total. Another part of the problem is that licenses go unused, which is a complete waste of money. Some department heads may think they are helping IT by putting software on their expense cards instead of adding it to the tech budget, but all this really does is mask the true spend.

This problem is compounded by the reality that traditional expense cards are not built for SaaS spend management. Between the adjustment to a recurring billing model and the introduction of rampant unauthorized spending, finance and information technology teams have their work cut out for them as they attempt to rein in the costs.

Hubspot estimates that the average enterprise spends more than $4 million yearly to use 288 SaaS apps. If shadow IT comprises nearly half of IT spending at large enterprises, it stands to reason that businesses are putting millions of dollars more into unauthorized spending. 

Worse still, the security risks of shadow apps add yet another level of potential expenses: The cost of downtime and lost data is estimated to be around $1.7 trillion, and many businesses are left debilitated by breaches.

Perceived Benefits of Shadow IT

It is important to uncover and control shadow IT, but in this effort, some might lose sight of the benefits they receive from shadow apps. If there were no good reasons to use shadow IT, there would not be so many rational employees who choose to do so. 97% of information technology professionals surveyed by Entrust agree that employees who use their preferred technologies are more productive. Recall that many employees use shadow apps when they feel limited by the authorized technology at their disposal–a company must respond accordingly.

Shadow IT Drives Innovation

The same Entrust survey of IT professionals turned up the following results:

• 77% believe their organizations would gain competitive advantages if leadership collaborated more to find solutions.
• 80% said their companies should leverage employee suggestions more to deploy technologies.
• 37% say there is insufficient clarity into the consequences of using shadow IT.

While shadow IT has some undoubted benefits, This information offers some hints about how businesses can respond to shadow apps.

One key takeaway is that businesses can prevent many problems by giving employees access to the software they want and need in the first place.

Ultimately, users themselves must lead the process of adopting new tools and software services, and IT should support the process by vetting and managing solutions.

Still, there is the question of how to deal with the shadow apps already in place. The simplest answer is to identify them, then decide what to do with each app based on its own merits.

Some Shadow Apps Offer Value

The apps themselves are not necessarily problematic–the only problem is normally that they are not appropriately managed. The answer is not necessarily to clamp down on employees but to get tools that allow IT to have a chance to identify and manage all apps currently in use. In fact, authorizing some of the employees’ favorite shadow IT apps and managing them through the proper channels is a good first step for the shadow IT strategy. It will encourage employees to be more collaborative about their technology needs in the future.

Develop a Strategy for Shadow IT

Discovering Shadow It

The first step towards solving for shadow IT is discovery.

How to discover Shadow IT

Some leaders have a hard time knowing where to start with shadow IT. Tracking every app manually is a monumental undertaking. Each employee or team has to be aware of all of the shadow apps they introduced and then cooperate in reporting them. Alternatively, information technology professionals have to do some serious sleuthing.

Fortunately, neither of those situations is necessary. Application discovery is one of the key features to look for in SaaS management tools, and it can remove the burden from IT teams and other employees. Perhaps more importantly, it removes the guesswork and human error from holistic app discovery.

The process of detecting and monitoring shadow IT is a task in itself, like we wrote about here.

Choosing the right SaaS management tool discovers apps almost immediately and provides a complete inventory. The information from finance, IT, and spreadsheets comes together in a single repository to provide a cohesive source of truth. Annotated visualizations of SaaS applications make it even easier to understand the products, including their usage level within the organization. The wealth of information dramatically simplifies the rest of the decision-making process.

Why discovery matters?

Your cybersecurity experts cannot be at their most effective until they are armed with holistic app discovery.

Shadow IT creates vulnerabilities without putting the proper defenses in place. These security concerns go beyond hackers who might use shadow IT as a way in–when an employee leaves the company, they may retain access to their unauthorized accounts. 20% of organizations have experienced data breaches performed by ex-employees, and shadow apps can create weaknesses on many fronts.

Given the prevalence of unauthorized access by previous employees, it is important to monitor logins even after the holistic app discovery stage. Once you know which apps your employees are using, please keep a record of their usage. If an ex-employee keeps logging in to one of your apps, you have a red flag right there!

What to Do With Shadow IT

Once you can identify which shadow apps employees use, you can dig into how and why they use them. This process will rely on effective communication between the IT department and those employees who use shadow apps. Ultimately, the decision is likely to come down to one of the following:

1. Eliminate the shadow app. This is the only acceptable choice when an app throws the organization out of regulatory compliance or opens the door to a similarly unpalatable level of risk. If current employees, former employees, or complete outsiders gain access data they should not have, the hole must be plugged. For example, employees must be stopped from sharing privileged data via public Google Sheets.
2. Bring shadow apps into IT’s control. If a solution adds value to the business, and there is no palpable reason preventing authorization, run it through proper channels. This may be the case when a team or individual finds a tool that makes them more productive, but they adopt the technology without getting official approval first. Your client success team might be more efficient with Slack, but perhaps they need a Business subscription to meet compliance requirements not addressed by their free accounts.
3. Eliminate the shadow, but keep the benefits. Maybe the sales team is only using Slack because they never received training or login credentials for their Microsoft Teams accounts. In this case, basic onboarding might eliminate unauthorized Slack usage without sacrificing productivity. If you understand why and how employees use the shadow apps, there may be opportunities to offer them the same benefits without the risk.

It may be difficult to resolve the use of shadow IT in a way that pleases all stakeholders. That said, at least the decision to authorize or forbid technology remains in the right hands. Each of these three possible resolutions is an intentional, measured decision by the IT department or other leadership. Taking control of shadow technology is a vital step toward mitigating risk and meeting business goals.

Get Started With SaaS Discovery and Management

When you want to identify and control shadow IT, you do not have to do it alone. Modern SaaS management tools are purpose-built to address today’s security challenges and facilitate effective IT spending. Bring shadow apps into the light with holistic app discovery, shadow IT tagging, and streamlined renewal management. Contact Quolum to learn more about how you can do this in the most time and cost-effective way.