Organizations increasingly rely on software-as-a-Service (SaaS) applications to power their business operations for cost savings, scalability, and beyond. While SaaS apps enable better business operations, a secret threat is hiding in your SaaS stack: “Shadow IT.”

Shadow IT refers to the use and purchase of software applications and systems without the knowledge, approval, or support of an organization’s IT department.

For example, employees could sign up for and start using SaaS applications that help them do their jobs more efficiently. They may subscribe using a personal credit card or free trial and get to work, not seeing any need to go through the red tape of involving IT.

Shadow IT Risks

The real risks posed by shadow IT are significant and cannot be ignored by organizations. When an organization’s IT is in the dark about which applications are being used by employees to store and process company data, it becomes nearly impossible to secure that data and ensure compliance. Sensitive customer information, financial records, employee details and intellectual property have the potential to be exposed in the event of a breach. This could lead to financial losses, legal liability and significant damage to a company’s reputation.

With the proliferation of generative AI applications in the public domain, IT departments face an even greater threat. There may be no centralized context about entry points where damage control actions can be implemented. In addition, if employees use company data to train ChatGPT or other external models, it could lead to a data privacy breach.

Shadow IT can also lead to wasted spending, as different teams and departments subscribe to their own SaaS tools, often with overlapping functionality. The company ends up paying for multiple project management platforms, CRM systems, and cloud storage services when a single vetted solution would suffice. Gartner estimates that a whopping 30-40% of IT spending in large enterprises is on shadow IT.

Shine a Light on Shadow IT

How is shadow IT allowed to proliferate unchecked? Often, it’s due to a lack of clear policies around SaaS adoption and use. When employees don’t understand what is and isn’t allowed, and there are no ramifications for going rogue with SaaS, shadow IT can spread like wildfire. Speed and ease of access play a role as well. If employees perceive the IT approval process for new software to be too slow or cumbersome, they are more likely to circumvent it altogether.
So what can IT departments do to shine a light on shadow IT and mitigate its risks? Here are just a few ways to get you started:
1. Discovery and Visibility: You can’t manage what you can’t see. Today, modern SaaS management platforms can detect all apps in use across the company via multiple means including an authentication layer (i.e. SSO), an expense layer (i.e. finance apps, contracts) and a browser layer (i.e to catch user access outside the SSO application) which can provide a centralized source of truth for apps, users and access.
2. Policies for Usage: To mitigate the risks associated with shadow IT, businesses should implement clear policies and procedures for SaaS usage, educate employees on the potential risks of using unauthorized software, and monitor SaaS usage to detect any unauthorized activity. Tracking usage should be automated via specific applications and org-level policies. In this case, if policies are violated, you can take certain actions like notifying the users, app owners or reporting managers, asking them to remove themselves from the app.
3. Access Control and Remediation: Put identity and access management (IAM) solutions in place for control over employee SaaS accounts. The best way to control access to these applications is by augmenting IAM with secure remediation controls. Some examples of these can include temporarily logging out, shutting down devices automatically through integrations with endpoint management systems, etc. You can also require single sign-on for any approved app, which enables IT to easily deprovision access when employees depart the company and monitor for suspicious login activity that could signal a compromised account.

While shadow IT sounds intimidating and difficult to tackle, by proactively managing SaaS and engaging with the business, IT can prevent shadow ITI from undermining the organization’s security and efficiency. Don’t let shadow IT continue to lurk in the darkness!