- Create clear IT policies and guidelines
- Give employees proper training
- Enforce access controls and restrict usage
- Maintain an inventory of applications
The move to remote work increased employee need for various video and messaging applications. In an effort to maintain productivity and to help streamline processes that would otherwise be difficult out of the physical office, employees looked to SaaS to facilitate offsite collaboration – and these tools were not always sanctioned by IT, InfoSec, CISO, or finance. It’s important to understand the risks these applications pose to your organization. This blog discusses the definition of shadow IT and the best ways to manage it.
Shadow IT is all of the cloud services, software, and hardware used by an organization without the explicit permission of the IT team. With cloud-based applications on the rise, shadow IT is growing. Many employees turn to software applications without approval from IT because it’s a tool that makes them feel in control, a more productive alternative to an approved tool, or a product they plan to use one time only.
A common scenario that leads to shadow IT is if a manager uses their company credit card to purchase an application for a project with the intent to cancel the tool after the project is completed. Without informing the correct department of the transaction, they may never know the software was purchased or used and if it should be included in the company’s SaaS spend analysis.
Examples of shadow IT include unsanctioned use of third-party software and apps such as:
- Project management software: Trello, Asana, Microsoft Project, Jira
- Video conferencing software: Zoom, Google Meet, GoToMeeting
- Cloud storage: Google Drive, Dropbox, Box, and OneDrive
For example, if your company is Microsoft-centric, then Microsoft Project is likely the approved tool for creating a project plan. It would be considered Shadow IT if you employed a free trial of Asana to do the plan because that was the tool with which you felt more comfortable.
Employees’ personal devices are a big source of shadow IT. The apps and technology on mobile phones or tablets are often easy to access and available at a low cost. Collaboration between employees and teams can quickly share a useful solution, making it difficult for IT departments to monitor what’s being used. For example, an employee accesses their work email on their personal cell phone or home computer without the oversight of the IT department. This may be convenient, but it poses security risks to the company. In some companies, they have a Bring Your Own Device policy where this is allowed. It needs to be specified at your company to do so.
Unfortunately, as mentioned above, significant risks come along with using shadow IT. These shadow IT challenges often outweigh the arguable benefits. Using unapproved applications can lead to inefficient software license management and insecure access controls. While employees typically have good intentions when using unsanctioned applications, IT departments worry about the threats they pose and finance departments worry about unmanaged costs. Learn more about shadow IT risks below.
One of the biggest shadow IT problems is wasted investments. Without a close eye on technology, SaaS spend can grow quickly. Employees and managers forget to cancel accounts they stopped using, licenses of past employees aren’t revoked, and other issues arise. Unchecked, these applications can lead to needless spending or accidental renewals, especially when so many tools automatically renew without the client ever having to sign off on the tool.
Unsanctioned technology is difficult or even impossible for the IT department to manage. There are restrictions on employee laptops from downloading things without IT’s approval. Personal devices can enable the use of shadow IT as they don’t possess the same restrictions as company devices. This network security risk is hard to fix or mitigate if IT is unaware of what is occurring.
More unsanctioned technology means more opportunities for data leaks. Without proper oversight, data can end up outside the organization’s control. If your company doesn’t have a decent content-sharing system, someone may decide to independently use Google Drive for collaboration. The employee has now taken the company’s intellectual property into their personal domain, most likely violating company policy and leaking company data where it doesn’t belong.
Shadow IT increases compliance issues. Security is not properly maintained when an organization no longer has control over its data. If you can’t show proof of who accessed company data, you don’t meet certain privacy requirements. For some industries, unsecured data can be a regulatory problem.
Many people find themselves wondering, is shadow IT bad? In most cases, employees and teams use shadow IT to improve efficiency. While IT is not aware of the user’s tool usage, that does not imply the user has malicious intent. Some of the argued benefits of using unreported applications listed below will help you understand why employees turn to such measures.
With shadow IT, employees may feel they have a little more control over their work tasks. Rather than use unfamiliar or difficult technology, they use what they know. For example, if an employee previously used Asana at another company, but their current company doesn’t subscribe to the application, they may use Asana for a project without contacting IT first. Using the platform with which they are more comfortable can make their work experience more satisfying.
A big reason individuals use applications without specific approval from IT is to improve their productivity. If they choose to use unapproved technology, it could be because the company-sanctioned one isn’t getting the job done efficiently. Whether or not operational efficiency is worth the risk should be a decision made with IT’s input.
Despite the argued benefits, shadow IT still poses significant risks to a company. While it’s normal for employees to want tools that better aid their productivity, they need to alert IT to their use. It’s best to follow the tips below to effectively manage SaaS applications and ensure IT is aware of the total SaaS spend.
Reducing shadow IT security risks is critical. Use the best practices outlined below to manage shadow IT and keep data leaks under control.
The first step to managing shadow IT is building clear policies and guidelines for procuring and using third-party technology. Document a comprehensive, company-wide policy prioritizing company security. While communicating the policy, keep in mind team members don’t intend to put the company at risk. They just want to streamline their work process. Make it clear you understand incorporating new applications can improve efficiency, you just have to ensure IT department oversight.
Explain shadow IT risks in your cybersecurity training. This helps educate the organization on the dangers of using unapproved applications and software. Share best practices and security tips to ensure they properly navigate all technology used for work.
It’s important to control who has access to your network. Enforce identity and access policies. This should include multi-factor authentication when connecting to the network. In addition, IT can create a “deny all” network access control so only trusted or approved applications are allowed, reducing untrusted applications connecting to the network.
It’s important to conduct a shadow IT assessment periodically to maintain a proper inventory of all applications in use. Documenting all activities surrounding shadow IT creates an audit trail. Shadow IT audits look at all of the technology employees are using without the explicit knowledge of the IT department. Ask employees what they are using, monitor help desk requests, and check what people are claiming on expense reports.
What is shadow IT discovery?
Shadow IT discovery is the process of using an automated solution to analyze network traffic to identify unknown applications employees are using. This solution should also provide a risk assessment of the software in use.
What is shadow IT policy?
Shadow IT policies are guidelines outlining the appropriate procurement and use of software to mitigate shadow IT. They set restrictions on using third-party applications without the knowledge of the IT department. This helps eliminate security risks and reduce possible data leakage paths.
It’s critical to shine a light on shadow IT to ensure your company is aware of all SaaS spending. Tools are available to help with shadow IT management. Bring shadow IT out of the dark with StackShine, powered by LeaseQuery.
The SaaS management platform automatically detects your organization’s software applications, eliminating shadow IT and mitigating software sprawl. With hundreds of direct integrations, as well as browser extensions and plug-ins, StackShine works with the tools you already have to provide full visibility into your software usage and help you manage your software portfolio.