Shadow IT Risks: How to Safeguard Your Organization & Navigate the Storm

By Ben Pippenger, CSO at Zylo

Managing software can pose a real challenge for organizations. Today, anyone and everyone is a software buyer — individual employees and business units can purchase the tools they need to get their jobs done. And while there are certainly benefits to that, this decentralized purchasing makes tracking and monitoring those applications a constant challenge.

In fact, unauthorized use of software within an organization — known as Shadow IT — can present some serious risks to your organization, such as security issues, financial inefficiencies and a poor employee experience.

Shockingly, 37% of software is purchased by employees. Yet it’s not all doom and gloom. IT teams can regain control of their software stack to mitigate the risks of Shadow IT, improve employee productivity and save money.

Decoding the impact of Shadow IT

Not all Shadow IT is bad, as it comes with its potential risks and rewards. Shadow IT, often referring to expensed SaaS purchases, arises when employees independently acquire tools and technologies, which employers may reimburse. This practice usually operates outside the purview of the IT department. While Shadow IT can spark innovation by inspiring employees to explore new methods and tools, it also presents security, financial and cultural risks. 

Gartner’s 2022 Market Guide for SaaS Management Platforms warns us that organizations lacking centralized SaaS lifecycle management are five times more vulnerable to cyber incidents and data losses due to misconfiguration. Striking the right balance between safeguarding our organizations and enabling creativity and innovation is the best way to nurture a dynamic and resilient business environment.

Proper, centralized visibility can help organizations understand the full scope of their security posture while allowing employees to discover innovative software in a more controlled way. This approach also reduces messy purchasing processes while improving the employee experience. 

SaaS management platforms provide companies with central visibility into all their applications, enabling flexibility for different organizations to handle their SaaS in unique ways that align with business goals. This visibility ensures that your marketing team, for example, can explore, purchase and manage their own tools while providing finance and procurement with the necessary insights for budgeting, forecasting and cost analysis. Meanwhile, this visibility enables IT to address pressing security concerns, vetting every application being used and understanding what data is going into each system. By embracing a SaaS management platform, organizations can find the sweet spot to greatly reduce security risks while safely promoting innovation and digital exploration.

The trouble with Shadow IT

Many organizations today don’t have complete visibility into the full scope of their software portfolio, leaving them vulnerable to security risks. You can’t secure what you don’t know about. While some major applications may be known and monitored, the presence of Shadow IT poses an additional layer of risk. Nearly 7 in 10 organizations have experienced Shadow IT-related compromises in the past year, exposing potential vulnerabilities and data breaches.

Think about it. Most organizations can see the data flowing through major apps like Salesforce, Google Workspace and Slack. But what about the tools you don’t know about? The rogue DocuSign account that your sales team purchased? Or the password manager used by that one person on the accounting team? These shadow IT tools can pose a security risk, as they’re not subject to the same controls as approved, vetted applications. 

Such oversights can have far-reaching consequences. The infamous Coca-Cola trade secret theft case offers a stark reminder of the risks involved. An engineer used Google Drive — an unapproved platform — to facilitate the theft of valuable intellectual property. While this insider acted maliciously, his actions demonstrated how even the most innocuous choices can have devastating consequences, jeopardizing a company’s competitive advantage, financial stability and reputation.

A lack of data loss prevention procedures adds further complexity to the security landscape. Nearly two-thirds of companies have 1,000+ sensitive files available to every employee, presenting potential opportunities for human error and data mishandling. These hidden and unmanaged software tools become possible entry points for malicious actors, expanding the organizational attack surface and exposing organizations to bad actors.

In addition to data loss prevention measures and prioritizing cybersecurity training, establishing software visibility is key to fortifying your organization against security risks. Software governance involves creating rules, processes and requirements that regulate an organization’s software acquisition, use and management. By implementing software governance frameworks, institutions can ensure complete visibility into their software ecosystem, guarantee that only secure and authorized applications are used, and reduce security risks and potential vulnerabilities. Embracing a comprehensive approach to software management is crucial to minimizing security risks and ensuring a robust defense against potential threats.

Balancing innovation and security amid Shadow IT

Organizations that expense already-purchased tools not only expose themselves to security risks with Shadow IT but also face significant financial risks from redundancy and inefficient purchasing. 

Redundant purchases occur when employees buy tools that the organization already has a solution for, such as purchasing a project management tool when there are existing options in the portfolio. Organizations can avoid redundancy by collaborating with security experts to thoroughly vet the safety of these tools and approve them for employee access. IT or procurement professionals can also proactively prepare a list of alternative, standardized or already available tools for employees seeking specific functions for their work. 

Furthermore, organizations can drive efficient purchasing by pooling purchasing power. For example, instead of different groups acquiring separate subscriptions for a tool like SurveyMonkey, organizations can negotiate better pricing and contract terms through an enterprise agreement that covers the entire organization. This way, not only are potential cost savings unlocked, but organizations also ensure they use trusted and secure software solutions that align with their established standards and requirements. Taking this comprehensive approach empowers organizations to navigate the financial complexities of Shadow IT while bolstering their security posture.

Elevating the employee experience

Enhancing the employee experience goes beyond providing the right tools and technology. Employees who resort to Shadow IT are almost never acting with malicious intent; they simply want to get their work done efficiently. And providing the right tools to accomplish that goal enhances productivity and job performance while increasing overall satisfaction and engagement. To encourage better digital corporate citizenship, taking a few proactive steps that foster a collaborative and supportive work environment is essential.

First and foremost, giving employees visibility into the software available to them is a game-changer. By showcasing what’s been standardized and vetted by IT, we can empower employees to make informed decisions about the tools they use. However, we also recognize that unique needs may require exceptions. That’s where a well-defined process to handle those exceptions comes in handy. Employees and business units can present their case for why a particular app should be added to the organizational portfolio.

Smart policies play a pivotal role in shaping employee behavior. Every organization is different, so tailor-made policies are crucial. Some organizations set spending thresholds, ensuring that any software purchase above a certain amount goes through a software review board and requires CIO approval. Others have eliminated rogue software purchasing by discontinuing reimbursements for apps bought outside approved channels.

But the key to keeping Shadow IT in check is simple: Maintain visibility. Whether you adopt strict policies or encourage some level of flexibility, understanding the ebb and flow of software in your organization is vital. With comprehensive visibility, you can stay ahead of the game, adapt your approach to Shadow IT and keep it from becoming a problem in your organization. By fostering a culture of collaboration, transparency and smart governance, we can elevate the employee experience, ensuring a thriving and productive workplace where employees feel supported and empowered to give their best.

About the Author

As Chief Strategy Officer, Ben is responsible for shaping and driving Zylo’s corporate strategy by monitoring and analyzing key market trends. As a Zylo co-founder, he is passionate about the power of SaaS and helping organizations understand how they can manage, measure and maximize their investments for greater business impact. Ben is a self-proclaimed SaaS geek, with more than 20 years of B2B software experience and a recognized SaaS and software management thought leader. Before founding Zylo, Ben held leadership roles in product and account management at Salesforce and ExactTarget.