Security & Compliance

  • 4 min read

Shadow IT Risks: Security, Compliance and Financial Risks due to SaaS Apps

Ritish Reddy

23rd February, 2022

SHARE ON:

1. Security Risks Due to SaaS Apps

The proliferation of shadow IT introduces various security gaps. These unsanctioned apps don't undergo security protocols and lack governance measures that are enforced on an IT Sanctioned app.

I'm not saying that all of these unsupported SaaS applications are a threat, but those that encourage sharing sensitive data are what you need to watch out for. File sharing and collaboration apps like Dropbox and Google Docs can lead to data leaks. 

• Security gaps related to employees. If employees store and use data from multiple locations, especially outside the company network and firewall, the IT department can't plan for data security across these hidden cloud applications. 
  
  When the IT department loses control over the SaaS applications deployed, it makes the entire company's data vulnerable. It also makes confidential information unprotected and susceptible to all kinds of security breaches. 
  
  The breach could be even by a former employee whose access hasn't been terminated. 
  
  Another problem with shadow apps is employees store credentials for their cloud apps in their browsers, spreadsheets, or consumer vaults. These are the risky practices that lead to credential theft. 
  
  The worst is the practice of using the same credentials for multiple accounts and using the same credentials to access the shadow IT softwares.
  
  For cybercriminals, it is a goldmine because the returns for a successful attack are much higher than when an employee uses different credentials for different accounts.

• Security gaps from the vendors' end. Due to shadow apps, your data can be shared with third-party vendors by employees, increasing the risk of data theft. 
  
  You never know who has access to which data, making it difficult for the IT department to take control. 
  
  Baseline security is also not enforced from the vendor's end on these apps, such as multi-factor authentication and password strength. These vendors may be given Edit access to company data where only View access is required, thus breaking the least privileged role-based access controls. 
  
  Shadow apps lack central account management where they can be set up, rotated, and monitored appropriately. 

• Data loss. In modern organizations that run on data, the consequences of data loss are severe. Organizations can lose access to data, mainly when an employee who owns a set of information leaves the company. 
  
  It often happens in companies that have BYOD (bring your own device) policy.
  
  A simple example could be an employee storing information in a personal Dropbox or a Google Drive account. In such a case, it would be difficult to get back the critical data stored in the user's personal account. It is almost impossible if the employee leaves.

• No Governance Over How Data Is Managed After Termination
  
  When an employee manages apps of their own, it is not uncommon to forget to pay for renewals. These software services usually get terminated when there is a failure or delay in the payment of bills. So companies have no way of recovering data once lost.
  
  The IT must know what apps are in use to mitigate these risks associated with shadow apps.

2. Compliance & Regulations Risks Due to SaaS Apps

Companies need to be compliant either because there are government regulations in industries, such as healthcare or fintech or because the clients' requirements are growing in this area. If you are selling to enterprises, the minimum they will ask you to be SOC 2 compliant. 

There are other regulations from the government end that companies need to follow, such as GDPR, CCPA, PCI DSS, HIPAA, ISO 27001, etc.

• Damage your company's brand reputation. To comply with these regulations, companies internally have IT governance guidelines. Software Asset Management (SAM) guides businesses in the procurement of software, but with shadow IT, there is no scope for proper documentation and approval of such apps.
  
  Shadow IT brings the possibility of violating regulations like HIPAA, GDPR, PCI DSS, ISO 27001, or SOC 2 because most of these regulations are based on data flows and storage. 
  
  So when an employee signs up for a shadow IT application, they store data in an unknown and unauthorized location. This lack of security can lead to compliance violations, data breaches, and ultimately fines.
  
  During audits by regulators, it could lead to hefty fines, lawsuits, or in a worst-case scenario, even jail. 
  
  This damages your company's brand reputation in the market.
  

  

  

• A mismatch between plans and reality. When employees buy applications independently, it consumes the budget at the department and business unit levels. Since IT is unaware of the buying process, it leads to a mismatch between the plan and execution.
  
  For example, your company's CMO has plans to utilize a marketing budget of $1.5M. But if the marketing executives end up purchasing apps worth $150,000, wouldn't it impact the plan made by the CMO? 
  
  Here, the main thing to note is top-down procurement doesn't work.  Procuring apps without employee feedback gives rise to 'shadow IT.' 
  
  Suppose employees are uncomfortable with a particular application and feel that the UI is difficult to understand. In that case, they will switch to apps with ease of use without the consent of the IT department to do their work. 

3. Financial Risks Due to SaaS Overspending and other Business Problems

• Collaboration inefficiencies. When employees across departments use different applications for the same function, it leads to collaboration inefficiencies. The whole process becomes inefficient when there are multiple versions of data existing in different locations.
  For example, one department uses Slack for communication, and another department uses Microsoft Teams. When they both need to work on a project together, it gets complicated. In the remote work scenario, effective communication is a must.

• No technical support. If you need help doing a particular task in a shadow application or require some training, the IT department wouldn't be able to assist you as they would lack knowledge and documentation. If there is a time-bound project dependent on shadow IT software, then the consequences would be severe.

• IT budget wastage. Shadow apps lead to redundant applications, lapsed subscriptions, and data silos. Beyond just the data risks, it also causes wastage of resources as there will be different duplicate solutions that different departments use. 

Book a Demo

About the author

Ritish Reddy

Ritish is one of the co-founders of Zluri, the SaaS management tool for IT teams. He leads the Marketing and Partnerships as part of his role. Before Zluri, he was part of the founding team at KNOLSKAPE and Co-Founder at Cranium media. Ritish is an MBA graduate and is passionate about building, and scaling businesses ground up. He is an avid reader and loves exploring book stores and libraries in different parts of the world. He loves painting with his 4-year-old daughter.