Security & Compliance

  • 8 min read

Remedying Shadow IT within your organization - A Complete Guide

Chaithanya Yambari

22nd January, 2024

SHARE ON:

Back in the day, employees worked from a workstation with a limited set of applications to go about their tasks. Fast forward to 2024, the workforce is scattered across the country and sometimes even across the globe. The usage of SaaS applications has grown exponentially since the pandemic, making remote work easy.

Here’s a stat that supports the ongoing trend of SaaS application usage. The percentage of SaaS-powered workplaces is expected to jump from 45% in 2021 to 79% in 2024, according to a survey conducted by Statista.

As SaaS applications keep growing, managing them efficiently takes a lot of effort and time. When unmanaged, it leads to chaos regarding who owns what apps, who uses which apps, and who is signing up for unauthorized and risky applications.

“Introducing Shadow IT”

What is Shadow IT?

Shadow IT is the use of hardware or software within an org that is not approved or supported by the organization's central IT department.

According to a report by ZDNet, At least 40 percent of IT employees reported having used a device, application, or other technology that is new to the organization without first receiving approval from their managers.

Here are a few examples of Shadow It cases

The Coca-Cola trade secret case:

A research engineer employed elementary methods to obtain trade secrets from Coca-Cola but evaded detection until she tried to do the same in a different company. This news created a sensation in 2019.

One of the major reasons was the usage of unsanctioned devices. Prohibiting personal and non-authorized electronic devices, including smartphones, could have protected Coca-Cola’s trade secrets. The value placed on developing the stolen technologies is $119.6 million. Click here to read the complete story.

US water treatment facility case:

On February 5, 2021, hackers accessed a U.S. water treatment facility's SCADA system, manipulating sodium hydroxide levels. Weaknesses in cybersecurity, including poor passwords and an outdated OS, likely facilitated the unauthorized access. 

It is said that using desktop sharing software such as TeamViewer is a potential cause for the breach, though unconfirmed. Click here to read the article.

Ways in which Shadow IT creeps into an organization

When it comes specifically to SaaS Shadow IT, there are prevalent ways in which Shadow It creeps into an organization. Many team collaboration apps serve the same purpose, underutilization of training portals and security mismanagement of web conferencing tools and so on. Let’s dive deep.

• Unsanctioned software and hardware usage

Unsanctioned software and hardware usage pose a significant challenge for organizations, as employees independently adopt newer tools without IT approval. Unapproved software may lack essential security measures the organization is set to abide by, leaving the organization vulnerable to potential data breaches.

The use of non-compliant applications and external devices raises concerns about regulatory adherence, exposing the organization to legal consequences. Moreover, the fragmented nature of multiple unregulated tools can hinder collaboration and decision-making, impacting overall organizational efficiency.

• Remote work and SaaS adoption

The accelerated shift to remote work has brought about a surge in the adoption of SaaS, in many cases, without proper IT oversight. This independent adoption introduces security vulnerabilities and unauthorized access risks, as not all SaaS apps may align with the organization's security standards.

Using disparate and unsanctioned SaaS tools comes with its cons. Firstly, stickiness within the organizational ecosystem is compromised. Secondly, it hinders seamless data flow across systems. On top of this, independently chosen SaaS apps may raise data privacy concerns and compromise the integrity of sensitive information.

• Third-party vendors and contractors

Relying on third-party vendors and contractors for software solutions introduces its own set of challenges. The security and compliance standards of these external tools and organizations may not align with yours, posing risks to data integrity and overall system security.

On the other hand, this also results in redundant applications being used across the organization when businesses fail to supervise collaborations from one dashboard.

• Departmental Initiatives

Independent initiatives within different departments often result in the adoption of redundant tools, causing operational inefficiencies and increased costs. Collaboration challenges emerge when various departments use disparate tools that do not integrate seamlessly.

The lack of a unified approach to technology adoption hinders organizational efficiency and impedes scalability.

• Lack of employee training

Employees turn to unsanctioned tools when they feel a) The tools used within the organization aren’t efficient compared to other tools in the market, b) They aren’t educated enough on the complete potential of the tools that are currently available.

Insufficient training on approved tools may inadvertently expose employees to using other tools in the market without the notice of IT. Productivity loss becomes a concern when employees are not adequately trained to use existing tools or not trained to follow the protocol of incorporating new tools.

• Outdated IT policies

Using outdated IT policies can result in significant negative impacts on an organization. Security gaps will arise as these policies may not address current and evolving cyber threats, leaving the organization vulnerable to attacks.

The technological lag caused by outdated policies hinders the adoption of newer, more efficient technologies, impacting the organization's competitiveness. Ultimately, it could potentially lead to legal and regulatory issues.

Here’s how Shadow IT negatively impacts an organization

• Data loss and leakage risks:

Shadow IT introduces a substantial risk of data loss and leakage within an organization, which ultimately affects regulatory compliance. The use of unauthorized applications and services may lack the robust security measures implemented by the IT department. Consequently, sensitive data becomes susceptible to unauthorized access, potentially leading to data breaches. 

The inadvertent or intentional sharing of information through unapproved channels raises concerns about confidentiality, integrity, and compliance, putting the organization's reputation and legal standing at risk.

• Inconsistent control:

One of the significant negative impacts of Shadow IT is the erosion of centralized control over the organization's IT infrastructure. When employees independently choose and use tools and services without IT approval, the organization cannot enforce consistent security protocols and access controls. 

Inconsistent control mechanisms create vulnerabilities, as different departments or teams operate with varying levels of security and compliance. This lack of uniformity makes it challenging for the IT department to monitor, manage, and respond effectively to potential security threats.

• Application redundancy:

The unchecked growth of unsanctioned applications often gives rise to redundancy within the organization's technological ecosystem. Distinct departments may adopt similar tools independently, leading to a fragmented and inefficient IT landscape. 

Beyond complicating the management of various software solutions, application redundancy incurs unnecessary licensing, maintenance, and support costs. This inefficiency hampers organizational agility and undermines the potential benefits of streamlined and integrated technologies.

• Increased costs:

Shadow IT significantly contributes to escalating operational costs within an organization. Adopting unapproved applications and services necessitates additional licensing, security measures, and support resources. The decentralized nature of Shadow IT leads to suboptimal resource allocation and budget overruns. 

Addressing security incidents or integrating disparate tools further exacerbates financial strain. The resultant burden undermines the organization's budget optimization capacity, potentially impeding other strategic initiatives.

• Compliance challenges:

The unregulated usage of applications and services without proper IT oversight presents profound compliance challenges for organizations. Various industries have specific regulatory requirements governing data handling, privacy, and security. 

Shadow IT introduces non-compliance risk, leaving the organization vulnerable to legal consequences, fines, and reputational damage. Failure to adhere to regulatory standards not only jeopardizes the trust of customers, partners, and stakeholders but also underscores the critical need for organizations to prioritize compliance to ensure ethical business practices and sustained success.

How can organizations detect and remedy Shadow IT?

Now that we understand how Shadow IT creeps into an organization and what are the ways in which it negatively impacts an organization, addressing and managing the risks associated with Shadow IT is crucial.

Here are the ways in which an organization can detect and remedy Shadow IT,

Assess risk and breach possibilities:

• Begin by conducting a comprehensive risk assessment to understand the potential impact of Shadow IT on the organization's security and compliance.

• Identify sensitive data and critical systems that may be at risk due to unauthorized applications and services.

• Evaluate the likelihood of breaches and the possible consequences to prioritize remediation efforts.

Use a powerful discovery engine:

• Implement a robust discovery engine or tool capable of scanning network traffic, endpoints, and cloud environments to identify unauthorized applications and services.

• Leverage advanced analytics and machine learning algorithms to detect patterns and anomalies associated with Shadow IT activities.

• Regularly update and refine the discovery engine to adapt to evolving technology landscapes and emerging Shadow IT trends.

View all apps from one dashboard:

• Consolidate all discovered applications and services into a centralized dashboard, providing a unified view for IT administrators.

• Categorize applications based on risk levels, usage patterns, and business impact to prioritize remediation efforts effectively.

• Enable real-time monitoring to promptly detect and respond to new instances of Shadow IT, ensuring a proactive approach to mitigating risks.

Establish a SaaS procurement policy:

• Develop and communicate a clear and comprehensive Shadow IT policy outlining the organization's stance on unauthorized technology usage.

• Collaborate with key stakeholders, including IT, legal, and compliance teams, to ensure alignment with regulatory requirements and internal governance standards.

• Educate employees about the risks associated with Shadow IT and the consequences of violating the policy.

• Implement a transparent process for employees to request new technologies, ensuring a balance between innovation and security.

The combination of risk assessment, advanced discovery tools, centralized monitoring, and a well-defined policy will empower organizations to maintain control over their technology landscape and mitigate the security risks posed by unauthorized applications. These are the proactive measures an organization can take to detect and remedy Shadow IT.

Creating a Shadow IT Policy

• Agree on the level of risk associated with apps

Classify applications into risk categories based on data sensitivity, compliance requirements, and potential impact on business operations. Defining the criteria for categorizing applications as low, moderate, or high risk provides a foundation for decision-making in procuring and using technology.

• Establish a SaaS app procurement process

Develop a transparent and centralized process for procuring SaaS applications within the organization. A centralized approval mechanism allows the stakeholders to evaluate the security, compliance, and business implications. Integrating the procurement process with the overall IT governance framework ensures alignment with security, compliance, and business objectives.

• Train and educate users on IT procurement

Conduct regular training sessions to educate employees on the organization's IT procurement policies, including the risks associated with unauthorized technology usage. Provide clear guidelines and communication channels for employees to seek approval or guidance when considering the adoption of new technologies.

Navigating the Balance: IT Empowerment vs Control

All these apps are not bad on their own. The problem arises when you are unaware of their existence in your organization.

Employees constantly look for ways to improve their productivity (and that's a good thing, isn't it?). So, they try new tools that can help them do things more efficiently than what is possible to do with the tools provided by the company.

Many of these tools don't work, but employees ultimately find one that works best in most cases. When they do, they don't use the ones provided by the company.

On the good side, these employees make your business competitive and innovative. Other team members often replace their current apps with new ones when they find these apps to be better. If you restrict employees from signing up for new apps, you lose team collaboration and productivity.

But why don't these employees loop in IT?

Misalignment in roles and responsibilities. Many business & tech leaders still hold IT alone responsible for security and compliance. While this was reasonable in the on-premise world, it's not justifiable in the SaaS world.

The SaaS ecosystem is not centralized like the traditional software world. Users drive it instead of IT. In their interest, IT rejects employees' apps and sometimes blocks them through a firewall or proxy. However, for every blocked app, employees find something lesser-known, which is even riskier.

"Individual employees, including those in top positions, are spending money on technology,"  says Andrew Horne, MD, CEB London, "because they see it as an interesting and exciting opportunity to enhance the business. Also, they want to experiment with technology." 

He further adds, "It is healthy unless they are not duplicating what the company is already doing."

Case Studies: Success Stories of preventing Shadow IT

KoinWorks is Indonesia’s first Super Financial App, with over 1.5 million users to date. Zluri, a SaaS Management Platform, helped Koinworks map all the critical SaaS tools running in their organization. Identify underutilized and redundant SaaS applications and help save $400K through direct and indirect savings. Read the complete case study here: https://www.zluri.com/case-studies/koinworks-case-study/ 

Conclusion

A fine balance between encouraging new technology and having central and transparent supervision would help employees be productive while not compromising security. From discovering applications to bringing policies into action, various platforms in the market help organizations with it.

FAQs

• How does Shadow IT typically emerge within an organization?

Shadow IT often arises when employees, departments, or teams independently adopt and implement technologies to address specific needs without involving the IT department.

• What is a Shadow IT policy, and why is it important?

A Shadow IT policy outlines the organization's stance on unauthorized technology usage and provides guidelines for IT procurement, risk assessment, and user education.

• How can IT departments work collaboratively with employees to address Shadow IT?

Collaboration involves open communication, providing approved alternatives, and involving employees in the decision-making process for new technologies.

• How can organizations balance innovation with the need for IT oversight?

Balancing innovation requires establishing transparent processes for technology adoption, involving relevant stakeholders, and maintaining open lines of communication between IT and business units.

• What are the legal and compliance implications of Shadow IT?

Shadow IT can lead to non-compliance with industry regulations and legal standards, potentially resulting in fines, legal actions, or reputational damage.

About the author

Chaithanya Yambari

Chaithanya Yambari is one of the co-founders of Zluri. A post-grad from BITS Pilani, he oversees the product and technology roadmap at Zluri. Before Zluri, he was part of the founding team at KNOLSKAPE, heading the engineering team.
An avid tech enthusiast, he is often found testing various softwares and smart devices or attending conferences to update his knowledge and expertise.

When not exuding his passion for technology, Chaithanya is an avid traveler, having traveled to over 28 countries across the globe already. Being professionally trained in baking, he spends his weekends trying to dabble a new recipe.