How to Uncover Shadow IT + Build a Secure-by-Design Organization
Cloud computing not only gave us a lifeline through the pandemic, but it’s also fueling digital transformations across every industry. And the biggest subset is Software-as-a-Service, or SaaS: currently, two-thirds of the entire public cloud services revenue, globally, is thanks to SaaS, which generated $167 billion USD in revenue in 2022.
In fact, companies used an average of 130 SaaS applications in 2022. And it’s not hard to see why.
The SaaS model enables customers with access to front-end application software and databases via a cloud delivery model—without the back-end responsibility for maintaining the hardware and infrastructure supporting the software. To use SaaS, companies typically pay a per-user or per-use fee to the SaaS company, which also typically includes regular updates, so customers are always able to use the most current version of the software.
This model also has the benefit of flexible and scalable costs, as companies can add or remove users as needs evolve, often get a price break based on volume of users and are protected from the capital expenditure that’s typically required to establish and maintain new software infrastructure, platforms, and licenses.
And it makes the modern workspace with hybrid and remote work environments highly flexible, fluid, and functional, as coworkers can collaborate seamlessly with ease from anywhere, at any time, and in the manner they work best.
Another benefit to SaaS apps? They’re incredibly easy to get started with. For example, let’s take everyone’s favorite pandemic-era communications app: Zoom.
Zoom’s “freemium” model means it’s free to sign up for and signing up can be done in just a few minutes; creating an account is as simple as filling out a simple form and creating a new password. But: it also requires a paid subscription for any calls longer than 40 minutes. It’s also now ubiquitous, which means even if your organization is officially paying for, licensing, and using another communications tool, Zoom is still likely in use at your company. It’s as simple as working with a vendor or partner who uses Zoom for virtual meetings, and your employees sign up so they can collaborate there. Perhaps they themselves will start to use Zoom more. It’s a small expense that can easily be thrown on a corporate card or expense report. And you may even have multiple employees across the company paying for separate Zoom accounts.
All unbeknownst to IT.
This is what’s referred to as “Shadow IT.”
What is Shadow IT?
Shadow IT is the general term for any technology in use at your organization that is "outside the ownership or control of IT", whether that's your in-house IT staff or your external IT partner—or both (Gartner). The explosion of cloud platforms and infrastructure, including the explosion in SaaS use, has equally fueled the exponential growth of Shadow IT.
But software isn’t the only source of Shadow IT: hardware is just as likely to be a source, especially with the growth in hybrid and remote work environments, as well as Bring-Your-Own-Device (BYOD) culture.
For example, a survey by Agency of 500 executives from companies with 500+ employees found this startling statistic: 97% of executive respondents access their work accounts from personal devices. 95% of them use their personal devices for work-related multifactor authentication—creating unanticipated vulnerabilities as they access sensitive business information or data using their personal devices. 58% of those respondents said their spouse or partner had access to that personal device; 38% said their children did.
Examples of common sources of Shadow IT include:
Cloud-based Software, including Software as a Service (SaaS)
Productivity + collaboration tools, including Microsoft Sharepoint, Slack, Trello, and Google Drive
Messaging + communications tools, including WhatsApp, Zoom, and Microsoft Teams
Cloud Storage and File-Sharing platforms, including Microsoft OneDrive, Dropbox, and Google Suite
Off-the-shelf software, although this has grown rarer as SaaS offerings have taken off
Hardware, including external hard drives, flash drives, tablets, and smartphones
Most of the time, employees are operating with the best of intentions when they’re using a tool that falls under Shadow IT. One of the biggest strengths of cloud services, SaaS apps, and our ability to always connect from any device, anywhere, is, well, just that: we can connect from just anywhere and most of the time, it’s incredibly easy. Everything is designed to be as frictionless as possible. So, often, employees have no idea their use of Shadow IT is even an issue. The most common reason they’re using it? They’re trying to find solutions to get their jobs done better and/or more efficiently. This can be especially prevalent if your business culture encourages an “Ask for forgiveness, not permission” philosophy.
While self-sufficiency, collaboration, efficiency, ease, flexibility, and use are all wonderful benefits to these platforms and cultural philosophies, Shadow IT is an issue because it operates outside of IT’s jurisdiction. Not only is it possible that some of these platforms do not meet IT’s security requirements, but it’s also critical to understand that you simply cannot secure what you don’t know about. And every added point of connection to your business and your network expands the potential attack surface, leaving your organization open and vulnerable to serious security risks—including compliance violations, customer data leaks, systems hacking, and more.
For instance, when an employee signs up for an app, are they being asked to share personally identifiable information (PII)? Sensitive financial details or proprietary intellectual property? Customer data? Are they sharing files via one of these apps? Sharing and storing data in the Cloud? And what happens if they leave the business, for any reason? If they were also creating and sharing files via, say, a personal Gmail account, would you still have access to those? Would they still have access to sensitive business details if or when they leave?
How to Take Control of Shadow IT
Leaving yourself open to vulnerabilities and attacks is incredibly costly: a report by Accenture found that the average cost of a cyber incident for organizations is $13M. Downtime means lost revenue but can also mean lost data, work, and time. It can also significantly damage your reputation with your own customers and lead to a loss of business. Depending on your business, disruptions can even mean life-threatening safety hazards.
This is why it’s critical to bring Shadow IT out of the shadows, where you can secure it.
This means you are starting with employee awareness.
Begin with Shadow IT Discovery: No matter the size of your business, these days, you have a lot of assets in your infrastructure. The first place to start is with a thorough discovery of every single application and device in use. Build an inventory, then examine the risks so you can determine how you’re going to manage them. A bonus to this discovery activity is that you’ll also uncover what’s known as SaaS sprawl: uncovering duplicate accounts and licenses so you can also reduce redundant tech and unnecessary spend.
Collaborate with Your Employees: One of the biggest advantages to a modern workspace with hybrid and remote work is the way it supports your employees to do their best work, however that looks. This has the dual advantage of elevating employee engagement rates: these types of policies and cultures take into account your employees’ needs and build policy around how your company can support them while protecting the business needs. Shadow IT then, in that way, represents another opportunity to loop your employees into the critical issue at hand. Educate them on the security risks associated with Shadow IT and then communicate to them that your goal is not to take away the tools they’re using: it’s to get a handle on everything in use, understand your employees’ perspective and how or why they’re using them, then together—with the guidance of IT—determine a path forward to securing them.
Freedom with Limits: In that same vein then, a comprehensive IT policy sets the security requirements your organization has for devices, SaaS apps, cloud platforms, and every other type of technology in use, and then communicates clearly to employees which tools meet those requirements.
Working towards a Secure-by-Design Posture: The path from Shadow IT discovery to employee education, policy design and enforcement represents one from reactive security to a posture that’s secure-by-design. In other words, it enables you to move to a proactive security approach at your business where security is your constant mindset: it’s baked into everything you do, every tool you evaluate and eventually, select to use. Because the strongest, most resilient security posture is one that protects you at every step and sets you up so you’re ready to respond immediately when—not if—a security incident happens.
One Layer of a Modern, Comprehensive, Secure-by-Design Posture
Security is complex: as we’ve discussed, every increase in digital transactions, connected devices, remote working, cloud computing, etc., adds up to an ever-expanding attack surface. You need to know about every asset that needs securing and everything must work together seamlessly to secure it; you cannot simply implement a few disparate tools and hope everything will be covered.
Securing Shadow IT is one piece of a layered approach—not to mention, it must be a continuous process. To learn more about what’s needed to best protect your business, download The Modern Guide to Building a Layered, Secure-by-Design Posture for Your Business.