9th May, 2021
80% of the employees admit that they use apps that aren’t approved by IT. For companies, this behavior has both pros and cons. An effective shadow IT policy reaps the benefits while mitigating the risks.
Shadow IT is the use of software or hardware without the knowledge of the IT team. Our research on SaaS Management shows that 57% of IT leaders are concerned about shadow IT.
In this article, I'm going to focus exclusively on the role of SaaS in shadow IT.
Cloud services, especially SaaS, have become the most significant contributors to shadow IT in recent years
The number of SaaS apps used in organizations has increased in recent years as employees sign up & use new apps regularly without IT (or anyone from the organization) vetting the apps for data security and compliance risks.
If a team finds ClickUp more intuitive than Asana, they'll end up discarding the latter, but the organization would still be paying for it. This leads to wastage of funds.
Additionally, these apps are potential vulnerabilities, as there is a risk of data leak & compliance issues from these apps.
SaaS apps fall into these categories:
IT managed apps are those procured and managed by IT. These apps are either complex in nature that requires setup and configuration or store critical business data that require monitoring for security and compliance reasons.
Examples: Okta, Salesforce, Office 365, AWS
Non-IT managed are the ones that are procured by IT and managed by department heads and business units. The IT needs to vet the apps for security, compliance and do price negotiations.
Once implemented, the IT is not involved in the day-to-day operations of the day. Giving access to a user or terminating access of a user is done at a local level by department or team heads.
IT can still come into the picture when support is required for specialized tasks, such as data migration when changing applications.
Examples: Workday, Mail Chimp, Adobe Creative Cloud
And employee purchases are the apps that are procured and managed by employees. In the product-led era, when SaaS vendors have made it easy to try apps, it’s easy for new apps to find their way into an organization.
If useful, they get adopted by the entire team, department, business unit, or even organization.
Examples: Slack, Hangouts, Google Meet, Marketo, DropBox
Some organizations also consider social media apps as shadow apps.
As the landscape is shifting from IT managed to employee purchases, there is a move toward decentralization, leading to compromise in governance and SaaS sprawl.
Companies have recently seen a drastic increase in shadow apps. The driving factors for this increased SaaS adoption are the pandemic and remote work.
From traditional software licensing models, organizations have started shifting to the SaaS model as it is comparatively more accessible, convenient, and cost-effective.
On-prem software solutions usually require a different set-up on the customer's end that involves purchasing hardware, data center resources, resilience measures, substantial implementation cost, and staff for monitoring and maintenance.
SaaS business model. Many SaaS companies use product-led models for growth, which means they target the end-user for product adoption. Due to the user-friendly nature of SaaS, employees can quickly sign up for new products and evaluate their benefits.
Most SaaS companies offer either a free trial or follow a freemium business model, which encourages users to try their apps.
Remember the days when Microsoft Office was installed on every PC? With the evolution of the cloud, you get access to office 365 with a single click.
Offers Software integration. Connecting apps is easier in the SaaS world. Most of the apps offer direct one-click integrations with other complementary apps. Even if the native app doesn't provide a direct integration, you can use services like Zapier and Integrately.
Then there have been external factors that have pushed companies to adopt SaaS. The pandemic pushed the companies to adopt SaaS to ensure business continuity.
76% of the employees say they prefer to work from home, further pushing companies to offer remote work to retain and attract good talent.
It starts a cycle. More remote employees mean more SaaS apps, which means more shadow apps.
It starts a cycle. More remote employees mean more SaaS apps, which means more shadow apps.
As the number of remote jobs grows, so does shadow IT.
The proliferation of shadow IT introduces various security gaps. These unsanctioned apps don't undergo security protocols and lack governance measures that are enforced on an IT Sanctioned app.
I'm not saying that all of these unsupported SaaS applications are a threat, but those that encourage sharing sensitive data are what you need to watch out for. File sharing and collaboration apps like Dropbox and Google Docs can lead to data leaks.
Security gaps related to employees. If employees store and use data from multiple locations, especially outside the company network and firewall, the IT department can't plan for data security across these hidden cloud applications.
When the IT department loses control over the SaaS applications deployed, it makes the entire company's data vulnerable. It also makes confidential information unprotected and susceptible to all kinds of security breaches.
The breach could be even by a former employee whose access hasn't been terminated.
Another problem with shadow apps is employees store credentials for their cloud apps in their browsers, spreadsheets, or consumer vaults. These are the risky practices that lead to credential theft.
The worst is the practice of using the same credentials for multiple accounts and using the same credentials to access the shadow IT softwares.
For cybercriminals, it is a goldmine because the returns for a successful attack are much higher than when an employee uses different credentials for different accounts.
Security gaps from the vendors' end. Due to shadow apps, your data can be shared with third-party vendors by employees, increasing the risk of data theft.
You never know who has access to which data, making it difficult for the IT department to take control.
Baseline security is also not enforced from the vendor's end on these apps, such as multi-factor authentication and password strength. These vendors may be given Edit access to company data where only View access is required, thus breaking the least privileged role-based access controls.
Shadow apps lack central account management where they can be set up, rotated, and monitored appropriately.
Data loss. In modern organizations that run on data, the consequences of data loss are severe. Organizations can lose access to data, mainly when an employee who owns a set of information leaves the company.
It often happens in companies that have BYOD (bring your own device) policy.
A simple example could be an employee storing information in a personal Dropbox or a Google Drive account. In such a case, it would be difficult to get back the critical data stored in the user's personal account. It is almost impossible if the employee leaves.
No Governance Over How Data Is Managed After Termination
When an employee manages apps of their own, it is not uncommon to forget to pay for renewals. These software services usually get terminated when there is a failure or delay in payment of bills. So companies have no way of recovering data once lost.
The IT must know what apps are in use to mitigate these risks associated with shadow apps.
Companies need to be compliant either because there are government regulations in industries, such as healthcare or fintech or because the clients' requirements are growing in this area. If you are selling to enterprises, the minimum they will ask you to be SOC 2 compliant.
There are other regulations from the government end that companies need to follow, such as GDPR, CCPA, PCI DSS, HIPAA, ISO 27001, etc.
Damage your company brand reputation. To comply with these regulations, companies internally have IT governance guidelines. Software Asset Management (SAM) guides businesses in the procurement of software, but with shadow IT, there is no scope for proper documentation and approval of such apps.
Shadow IT brings the possibility of violating regulations like HIPAA, GDPR, PCI DSS, ISO 27001, or SOC 2 because most of these regulations are based on data flows and storage.
So when an employee signs up for a shadow IT application, they store data in an unknown and unauthorized location. This lack of security can lead to compliance violations, data breaches, and ultimately fines.
During audits by regulators, it could lead to hefty fines, lawsuits, or in a worst-case scenario, even jail.
This damages your company's brand reputation in the market.
A mismatch between plans and reality. When employees buy applications independently, it consumes the budget at the department and business unit level. Since IT is unaware of the buying process, it leads to a mismatch between the plan and execution.
For example, your company's CMO has plans to utilize the marketing budget of $1.5M. But if the marketing executives end up purchasing apps worth $150,000, wouldn't it impact the plan made by the CMO?
Here, the main thing to note is top-down procurement doesn't work. Procuring apps without employee feedback gives rise to 'shadow IT.'
Suppose employees are uncomfortable with a particular application and feel that the UI is difficult to understand. In that case, they will switch to apps with the ease of use without the consent of the IT department to do their work.
Collaboration inefficiencies. When employees across departments use different applications for the same function, it leads to collaboration inefficiencies. The whole process becomes inefficient when there are multiple versions of data existing in different locations.
For example, one department uses Slack for communication, and another department uses Microsoft Teams. When they both need to work on a project together, it gets complicated. In the remote work scenario, effective communication is a must.
No technical support. If you need help doing a particular task in a shadow application or requires some training, the IT department wouldn't be able to assist you as they would lack knowledge and documentation. If there is a time-bound project dependent on shadow IT software, then the consequences would be severe.
IT budget wastage. Shadow apps lead to redundant applications, lapsed subscriptions, and data silos. Beyond just the data risks, it also causes wastage of resources as there will be different duplicate solutions that different departments use.
Shadow IT is a current business reality. It's difficult to discard it through security policies. Though it poses compliance & security risks, it drives innovation in your company and improves your employees' productivity.
One rising tide lifts all the boats
Most of the standard apps widely today (hello Slack) were once shadow apps. But once they were discovered and business leaders (or CIOs) realized their value, they were rolled out in the entire company.
Just one example creates a positive impact for the entire shadow apps in the minds of tech leaders. They are now more receptive to such bottom-up demands from the employees. The saying, "One rising tide lifts all the boats," perfectly fits in this case.
A survey by Entrust Datacard revealed that employees were more productive when allowed to use their preferred applications, and 80% also said that their organizations must deploy tools that employees suggest.
Competitive advantage to your business. It is necessary to find new solutions and innovative ideas to transcend the competitors in the current business environment. If your employees are constantly looking for new ways to do things more effectively, it will make your company more innovative.
Imagine a project on training a new machine learning model, which was expected to be completed in 3 months got completed in 2 months because an employee found an app that could automate annotation for training the data sets saving the team many weeks of work.
The flexibility offered by apps in the market may invoke an employee to choose them over the ones provided by the IT department. Also, there are chances for a specific employee who does a particular work to know which tool will be better for the work to be done effectively.
New tools have the potential to remodel the old processes, making employees work smarter in a shorter amount of time.
Increases employee productivity. The main reason employees turn to shadow apps is that the apps provided by the information technology department are either difficult to use or don't solve the problem or entangle from the restrictions set up by the organization. Embracing shadow IT, can give employees the tools they need daily to complete tasks.
With tools that have complex UI, they will spend more time learning and understanding it. But tools of their interest can make them accomplish anything within a short period.
You need to collaborate with your employees and encourage them to come to you when they need a new application. It would help if you created open communication channels to do this.
You can survey your employees to know why they have chosen a specific app over what's provided by the company. You can interview the employees to understand why they feel it is better suited to do work.
This way, you can learn about new emerging applications and make relevant changes in your SaaS stack to better suit your organization's needs.
Employees become a great source of expert insight for ways to increase productivity and efficiency of work. Since they perform the day-to-day task, they know which tools make them complete the process faster and easier and make their workflow inefficient.
Also, these new SaaS tools act as a motivation for employees to achieve more with less, which in turn increases their engagement.
More heads look for better tools. In the past, it was the IT department doing all the tasks related to technology. They were controlling it in a way that doesn't make sense in the SaaS world.
Gone are those days when the IT department was the one with access to technology. Today it is easy for anyone to procure an application, use it and discard it.
If the IT department helps employees address their needs and get the tech tools they need in a secured manner, employees will look for better tools, and the IT doesn't need to pull it all by themselves.
This streamlines the work of IT as the employees themselves are looking for tools that will help them complete tasks quickly and easily.
Drives digital transformation. Due to a lack of communication between the IT department and employees, the former isn't aware of whether the employees are happy with the tech stack. This is the main reason shadow IT exists in organizations.
Instead of reducing shadow IT, you can analyze the type of shadow apps that each department uses to understand the individual needs and know what their core necessities are. It drives digital transformation and enhances communication with the employees.
It also helps you attract and retain talented employees. Employees want to work on the latest technology to remain competitive. If you force them to use legacy software, they will leave for those organizations that understand this game.
Shadow IT Risks
All these apps are not bad on their own. The problem arises when you are not aware of their existence in your organization.
Employees constantly look for ways to improve their productivity (and that's a good thing, isn't it?). So, they try new tools that can help them do things more efficiently than what is possible to do with the tools provided by the company.
Many of these tools don't work, but employees ultimately find one that works best in most cases.
When they do, they don't use the ones provided by the company.
On the good side, these employees make your business competitive and innovative. Often, other team members also replace their current apps with these new ones when they find these apps to be better.
If you restrict employees from signing up for new apps, you lose team collaboration and productivity.
Misalignment in roles and responsibilities. Many business & tech leaders still hold IT alone responsible for security and compliance. While this was reasonable in the on-premise world, it's not justifiable in the SaaS world.
The SaaS ecosystem is not centralized like the traditional software world. Users drive it instead of IT.
In their interest, IT rejects apps used by employees and sometimes blocks these apps through a firewall or proxy. However, for every blocked app, employees find something lesser-known which is, even riskier.
"Individual employees including those in top positions are spending money on technology," says Andrew Horne, MD, CEB London, "because they see it as an interesting and exciting opportunity to enhance the business. Also, they want to experiment with technology."
He further adds, "It is healthy unless they are not duplicating what the company is already doing."