Shadow IT is something that every IT leader of a growing organization will encounter at some point. It is therefore crucial to know why it occurs and how to manage it before it becomes a threat to an organization’s efficiency and compliance.
Table of Contents
What is Shadow IT?
The rise of cloud based applications and services that don’t require centralized implementation and can easily be accessed by everyone regardless of their technical background has given room to a term that every IT team should be familiar with by now. Shadow IT stands synonymous for the use of IT hard- or software by individuals without the knowledge of their organizations IT departments. A common example would be the implementation of a cloud based E-Mail Automation SaaS by a marketing team that bypasses the controlling valve of the IT department.
What Shadow IT means for an organization
In a time where it is easier and presumably more secure than ever to improve and automate your daily work with cloud software, employees are naturally tempted by the quick and easy implementation most SaaS applications provide. The process of signing up and being ready to use a tool in a matter of minutes has become a convenient routine that most users feel comfortable with and wouldn’t want to give up on anymore.
This more than often results in a situation where the average IT driven organization makes use of 185 tools but the responsible IT department only knows about half of them. Research shows that this especially applies to larger organizations of more than 200 employees, where more complex organizational structures start to form and result in information silos and a lack of information exchange between teams. This goes as far as members of different teams using the same software without each other’s and the IT team’s knowledge.
Although SaaS users obviously enjoy the independence and flexibility the market offers, they often underestimate the risks that come along with a growing share of Shadow IT. To limit the potential threats rooted in Shadow IT, it is the IT team’s responsibility to raise awareness for the topic and point out potential pitfalls that come along with having the world of SaaS right at everyone’s fingertips.
Risks and challenges of Shadow IT
Everywhere teams use unsanctioned cloud software without the knowledge of the IT department there are potential negative aspects or even risks to an organization’s compliance that need to be considered. These can range from inefficiencies in collaboration and hidden costs due to a lack of SaaS visibility to more severe issues concerning data protection and IT security.
Without a centralized system of records to keep track of new SaaS licenses, visibility of an organization’s software landscape quickly diminishes. However, proper insights into spend and usage of applications are crucial to identify possible inefficiencies. There could be two teams using the same software but being on individual plans or a team independently subscribing to a tool that the company is already paying for. Other times money is being wasted on active subscriptions no member of the organization is using any longer. If the IT team is not made aware of the inconsistencies caused by Shadow IT, more and more money is wasted as the inefficiencies accumulate. On average organizations are missing out on a savings potential of 20% of their total SaaS spend caused by Shadow IT.
Apart from cost inefficiencies Shadow IT can also become a challenge for communication & collaboration between siloed teams that have implemented different solutions to solve the same task. Let’s take an example where one team is using Google Drive to host their data and manage access permissions, while another team stores its files in Dropbox. Besides the communicative issues and lack of oversight this would cause, data will inevitably get lost on the way with the IT team not being able to restore anything saved on the Shadow IT app due to missing security backups. Teams that rely on shadow IT for business critical tasks can’t expect that an IT team is going to be able to help them.
When Shadow IT undermines certain standards the IT team has come up with in terms of company wide compliance and regulations it will be a security risk in the long run.
This includes sharing sensitive data like passwords or customer information with unapproved apps, that were never audited as to where this data might stored, if it is being shared with 3rd parties or even sold. In a time when companies need to adhere to standard regulations like the GDPR ensuring data privacy is a must. Shadow IT could to lead to companies not passing related audits because of the way their customer data is being stored and processed.
The existence of Shadow IT also makes an organization more vulnerable to potential cyber attacks. Everywhere employees make use of software that is not constantly audited by the IT department they might expose critical systems and data to hackers giving them a larger surface to attack. The risk only increases with the degree to which Shadow IT apps provide access to key assets like APIs or databases. IT Administrators can only monitor software they know about and in case of a breach won’t be aware of the full potential scope of the attack leaving them unsure of what data has been compromised and when.
Even without cybercriminals being after your confidential data, gaps in the security infrastructure will open where IT is not able to revoke software access when employees change jobs. Individual Shadow IT will not be deprovisioned as part of the the official offboarding protocol leaving IT admins with no chance to properly prevent unauthorized access.
In the end Shadow IT inarguably poses a serious risk to confidential data and the general efficiency of processes within a growing organization if it is not identified and treated in the right way. However, it is hard to neglect the fact that giving your employees the freedom to choose and implement tools that make them more productive is a vital part in an organizations ability to act in a lean and flexible way.
How to respond to and handle Shadow IT
While fully eliminating Shadow IT from an organization is rather utopian, IT teams can apply a set of measures and tools that help reduce its prevalence and minimize the risks described above. All of them rely on effective prevention by involving and educating employees early on rather than reacting with penalties and blocking unsanctioned apps at a later point where teams already rely on them as part of business critical processes.
In the common case of not having any policy in place IT first needs to gain full visibility of their organizations active SaaS licenses. This can be achieved by means of a software audit with the goal of identifying all cloud apps being used by different teams. Rather than carrying out a manual audit involving investigative checks of credit card transactions or interviews with license owners it is recommended to make use of technology to uncover Shadow IT.
SaaS management software handles most of the heavy lifting by integrating with product APIs and monitoring browser data or credit card transactions to identify SaaS applications across networks and devices. Like this it provides a central system of record that tracks which tools are being used by whom and how much money is being spent on their subscriptions. Apart from usage and spend analytics they often also offer features for automating user provisioning making them the perfect tool for onboarding new employees to their SaaS apps.
Once a sufficient degree of visibility is established the responsible admins are enabled to come up with a structured approach for reviewing all applications regarding their compliance with existing security standards. Apart from closing security gaps they can also easily uncover overlapping or unused software to identify savings potentials and hence contribute to the overall efficiency of the business.
When it comes to developing an effective policy around the implementation of cloud based software it is crucial to embrace the initial drivers of Shadow IT. Instead of demotivating employees with tedious approval processes they should be encouraged to flexibly introduce and work with innovative software that makes them more productive. This is best achieved by making them aware of a clear protocol for requesting new apps giving IT the chance to review the software and restrict its use if necessary. Additionally, raising awareness around cybersecurity and data protection as part of the onboarding process makes sure every member of the organization feels comfortable taking ownership of decisions around software implementation
In the end it’s not a question of whether shadow IT exists, but much rather how it is being managed throughout the organization. To effectively handle all of its risks and react to vulnerabilities before they turn into serious issues visibility is key. Only by applying an open policy that allows employees to choose their own tools while ensuring visibility of all software assets many issues around shadow IT can be reduced to a manageable minimum.
