Uncovering and Controlling Shadow IT

13 min read Mansoor Ahmed

If you want to know how many SaaS products you really use, on average, this formula should get you close: Take the number of SaaS products you think you use, then double it.

As more employees work from home, the threat of Shadow IT is only getting larger. Employees use their personal email addresses to conduct business. The use of unsanctioned personal devices for work is on the rise (also known as bring-your-own-devices or BYOD). SaaS applications that your IT department does not know about and does not control might be the biggest shadow IT threat of all.

More than 80% of employees admit to using unapproved SaaS applications on the job, which makes Shadow IT one of the biggest cybersecurity concerns today. 

The problem is rampant because any person within your organization can sign up for a SaaS product within minutes without IT’s approval (or knowledge). Unauthorized spending is only a small part of the problem, especially when shadow IT links to other software products, exposes the business to data leaks, and gives hackers access to your systems.

What Is Shadow IT?

Shadow IT refers to information technology systems, devices, services, software, and applications that employees use without approval from the IT department

In other words, this catchall term covers any solution not known about and managed by the organization’s IT department. Physical devices like personal phones, flash drives, laptops, and backup drives can all pose threats. Even classical licensed software can be shadow IT, but most unauthorized software products are SaaS applications.

As the scope of available software products grows, so does the scope of potential shadow IT threats. Enterprises use 288 SaaS apps on average, making it difficult for IT teams to track them all down and control them. 

Why Does Shadow IT Exist?

As organizations continue to adopt DevOps and Agile methodologies, shadow IT becomes almost inevitable. Teams are focused on innovating continuously to meet quick release cycles, leading them to seek quicker solutions and more efficient tools. Employees may not feel they have the time to let IT vet and approve tools before they start using them. 

Other departments are getting in on the action, too. With SaaS, a department can add a tool easily and roll it into their department expense budget. They don’t have to worry about going through IT or purchasing. 

It looks great on paper: spending $100 on the expense credit card instead of begging IT for $5,000 for a suite of licenses. But again, that’s precisely why companies lose track. Marketing is notorious for this, with apps like Constant Contact, Mailchimp, Unbounce, and more.

This is especially true as workers become more dispersed, and 82% of company leaders surveyed by Gartner plan to continue allowing employees to work remotely. The shift from physical workplaces to remote work was sudden; many organizations did not have time to adjust their tools and workflows adequately. 

Common Examples of Shadow IT

Some of the most common Shadow IT apps per Business Wire include note-taking, project management, communication, and file-sharing apps. Consider the following examples:

  • Users might turn to cloud storage solutions like Dropbox or Google Drive to share files once they are no longer together in the office. 
  • Employees can use Microsoft Office 365 to create, edit, and share files remotely. Sharing files is an important aspect of the need to stay connected while operating as part of a dispersed workforce.
  • As far as communication apps, Slack, Skype, WhatsApp, and various VOIP solutions offer employees opportunities to stay in touch with each other. 
  • Some members of the staff might find it more difficult to stay organized at home than it was in the office, which is where productivity apps like Trello and Asana come into play. 

These common shadow apps are widely known, simple to sign up for, and relatively inexpensive, but any technology solution becomes shadow IT without approval from the appropriate department. Thus, it becomes critical to understand and address the risks of shadow IT.

Understanding the Impact of Shadow IT

An IT department cannot know how many apps are being used without their knowledge until they achieve holistic discovery with a SaaS management tool. Once those apps are discovered, they cease to be shadow IT.

That said, problems eventually come to the surface, and the primary risks of shadow IT often fall into four categories.

Failure to Manage Software Assets Appropriately

Technology leaders are tasked with creating cohesive strategies to achieve defined business goals. It is difficult to define relationships between systems and govern them efficiently when employees consistently add incompatible solutions to the mix. This problem is exacerbated by existing failures of traditional software asset management (SAM) to keep track of SaaS licenses.

The more shadow applications employees use, the more difficult it becomes for IT departments to achieve their shared purpose of empowering success. Each time an individual or team chooses their own tools and solutions instead of going through the proper channels, the IT professionals lose more control of the situation. Eventually, they become so out of touch with the reality of the situation that they can no longer offer effective guidance and build technology solutions that empower success.

Data Becomes Less Secure and Less Compliant

Manually managing the security and compliance of all of an enterprise’s SaaS apps may take dozens of hours each week, and the time spent is far from the worst part. Manual SaaS management dramatically increases the risk of exposure–21% of organizations have experienced cyber events because of unsanctioned technology. Shadow applications take cybersecurity decisions out of the hands of the experts and diffuse responsibility across the entire company (or at least the 80% or more who use shadow IT). Many members of the staff may not be qualified to make these types of decisions.

When the IT Department Loses Visibility, it Loses Control

Not only is there an increased risk that employees might make unwise decisions with unsecured technologies, but it also becomes harder for cybersecurity experts to craft a plan that accounts for all relevant technology. As employees operate through channels that are unknown to the information technology team, they may unwittingly or intentionally share data in a way that is not appropriate. Such behavior risks the exposure of valuable data and may take the business out of compliance with regulations. 

Shadow IT Causes Compliance Problems

Consider a company in the medical industry that must remain HIPAA compliant. If one department installs an app without due diligence and copies data to a cloud server, it can create a bubble of exposed data that the organization has no control over. For someone who might not be concerned with compliance and security as part of their job, signing up for a new tool like this is an easy mistake to make, but it can throw the entire organization out of HIPAA compliance.

Eliminate Shadow IT to Know and Control Risks

The key takeaway is that your cybersecurity experts cannot be at their most effective until they are armed with holistic app discovery. Shadow IT creates vulnerabilities without putting the proper defenses in place. These security concerns go beyond hackers who might use shadow IT as a way in–when an employee leaves the company, they may retain access to their unauthorized accounts. 20% of organizations have experienced data breaches performed by ex-employees, and shadow apps can create weaknesses on many fronts.

Given the prevalence of unauthorized access by previous employees, it is important to monitor logins even after the holistic app discovery stage. Once you know which apps your employees are using, please keep a record of their usage. If you see that an ex-employee keeps logging in to one of your apps, you know straight away that there is a problem! Use logging is yet another useful tool for increasing security.

Unknown Variables in Testing and Troubleshooting

The IT infrastructure of a modern business is already complicated enough without the introduction of unauthorized tools. 

The complex and interconnected nature of a company’s technology mandates proper testing when introducing new technologies. When employees add new applications before they fully understand the consequences, they make it possible for issues to ripple throughout the technology stack. For example, once IT loses sight of information flows because data gets siloed in disparate shadow IT apps, it becomes impossible to plan accordingly in terms of system architecture, capacity, and security.

As unintended consequences arise from third-party applications, they may not be diagnosed quickly because the information technology experts are not entirely informed. On the contrary, employees may recognize the problems with security or productivity but chalk them up to a failure by the IT department. By the time the true nature of these issues becomes apparent, they are causing significant problems for the business. Now it falls on the IT team to scramble to isolate and neutralize the offending app.

Reduced Visibility into IT Spend Management

Close to half of all IT spending at a company occurs outside of the IT department, which creates an obvious budgeting problem. Lack of visibility is one big part of the issue, as the rampant consumption of shadow IT makes it impossible to know how much the business is spending in total. Another part of the problem is that licenses go unused, which is a complete waste of money. Some department heads may think they are helping IT by putting software on their expense cards instead of adding it to the tech budget, but all this really does is mask the true spend.

This problem is compounded by the reality that traditional expense cards are not built for SaaS spend management. Between the adjustment to a recurring billing model and the introduction of rampant unauthorized spending, finance and information technology teams have their work cut out for them as they attempt to rein in the costs.

Hubspot estimates that the average enterprise spends more than $4 million yearly to use 288 SaaS apps. If shadow IT comprises nearly half of IT spending at large enterprises, it stands to reason that businesses are putting millions of dollars more into unauthorized spending. 

Worse still, the security risks of shadow apps add yet another level of potential expenses: The cost of downtime and lost data is estimated to be around $1.7 trillion, and many businesses are left debilitated by breaches.

Perceived Benefits of Shadow IT

It is important to uncover and control shadow IT, but in this effort, some might lose sight of the benefits they receive from shadow apps. If there were no good reasons to use shadow IT, there would not be so many rational employees who choose to do so. 97% of information technology professionals surveyed by Entrust agree that employees who use their preferred technologies are more productive. Recall that many employees use shadow apps when they feel limited by the authorized technology at their disposal–a company must respond accordingly.

Shadow IT Drives Innovation

The same Entrust survey of IT professionals turned up the following results:

  • 77% believe their organizations would gain competitive advantages if leadership collaborated more to find solutions.
  • 80% said their companies should leverage employee suggestions more to deploy technologies.
  • 37% say there is insufficient clarity into the consequences of using shadow IT.

This information offers some hints about how businesses can respond to shadow apps. One key takeaway is that businesses can prevent many problems by giving employees access to the software they want and need in the first place. Ultimately, the users themselves start to lead the process of adopting new tools and software services, and IT supports the process by vetting and managing solutions.

Still, there is the question of how to deal with the shadow apps already in place. The simplest answer is to identify them, then decide what to do with each app based on its own merits.

Some Shadow Apps Offer Value

The apps themselves are not necessarily problematic–the only problem is normally that they are not appropriately managed. The answer is not necessarily to clamp down on employees but to get tools that allow IT to have a chance to identify and manage all apps currently in use. In fact, authorizing some of the employees’ favorite shadow IT apps and managing them through the proper channels is a good first step for the shadow IT strategy. It will encourage employees to be more collaborative about their technology needs in the future.

Develop a Strategy for Shadow IT

How to Discover Shadow IT

Some leaders have a hard time knowing where to start with shadow IT. Tracking every app manually is a monumental undertaking; each employee or team has to be aware of all of the shadow apps they introduced and then cooperate in reporting them. Alternatively, information technology professionals have to do some serious sleuthing.

Fortunately, neither of those situations is necessary. Application discovery is one of the key features to look for in SaaS management tools, and it can remove the burden from IT teams and other employees. Perhaps more importantly, it removes the guesswork and human error from holistic app discovery.

Choosing the right SaaS management tool discovers apps almost immediately and provides a complete inventory. The information from finance, IT, and spreadsheets comes together in a single repository to provide a cohesive source of truth. Annotated visualizations of SaaS applications make it even easier to understand the products, including their usage level within the organization. The wealth of information dramatically simplifies the rest of the decision-making process.

What to Do With Shadow IT

Once you can identify which shadow apps employees use, you can dig into how and why they use them. This process will rely on effective communication between the IT department and those employees who use shadow apps. Ultimately, the decision is likely to come down to one of the following:

  1. Eliminate the shadow app. This is the only acceptable choice when an app throws the organization out of regulatory compliance or opens the door to a similarly unpalatable level of risk. If current employees, former employees, or complete outsiders are using the application to access data they should not have, the hole must be filled in. For example, employees must be stopped from sharing privileged data via public Google Sheets.
  2. Bring shadow apps into IT’s control. If a solution is deemed to provide value to the business, and there is no particular reason it cannot be authorized, simply run it through the proper channels. This may be the case when a team or individual finds a tool that makes them more productive, but they adopt the technology without getting official approval first. Your client success team might be more efficient with Slack, but perhaps they need a Business subscription to meet compliance requirements not addressed by their free accounts.
  3. Eliminate the shadow, but keep the benefits. Maybe the sales team is only using Slack because they never received training or login credentials for their Microsoft Teams accounts. In this case, basic onboarding might eliminate unauthorized Slack usage without sacrificing productivity. After making the effort to understand why and how employees use the shadow apps discovered, there may be opportunities to offer them the same benefits without the risk.

At times, it may be difficult to resolve the use of shadow IT in a way that pleases all stakeholders, but at least the decision to authorize or forbid technology is in the right hands. Each of these three possible resolutions is an intentional, measured decision by the IT department or other leadership. Taking control of shadow technology is a vital step toward mitigating risk and meeting business goals.

Get Started With SaaS Discovery and Management

When you want to identify and control shadow IT, you do not have to do it alone. Modern SaaS management tools are purpose-built to address today’s security challenges and facilitate effective IT spending. Bring shadow apps into the light with holistic app discovery, shadow IT tagging, and streamlined renewal management. Contact Quolum to learn more about our SaaS management tool and receive access.

Frequently Asked Questions

Quolum's SaaS Card makes paying for recurring SaaS and Cloud purchases easy. We are a corporate expense card, hyper-optimized for buying SaaS and Cloud purchases online.
Quolum is used by Finance and Procurement teams to make the process of software purchasing super easy. Our current features make the product attractive for companies and departments that have less than 100 employees.
Signup takes 2-minutes. In most cases, you'll have the Quolum SaaS Card in 60-seconds and start paying for SaaS and Cloud products right away. We do not run any personal or business credit checks.