The hidden risks of shadow IT

If you’re like most organizations today, your employees use a mysterious number of SaaS apps. Sometimes an app is approved by IT. And other times, it’s not. As something all IT organizations grapple with, here we discuss some of the hidden risks of shadow IT in the SaaS stack, why IT shouldn’t dismiss them, and how to mitigate them.

What is shadow IT?

At its most basic, shadow IT occurs when anyone in your organization uses IT-related resources that has neither IT or security involvement or knowledge. Naturally, it includes any cloud services, software, and even hardware. Those notorious Bring your Own Device (BYOD) products like tablets, smartphones, and thumb drives are good examples. 

Now that security and IT teams have successfully managed BYOD, today’s main source of shadow IT is SaaS. 

What makes employees turn to shadow IT

Most employees simply don’t think about the risks associated with SaaS. They’re looking to become more efficient or meet specific project needs, so they get down to business and subscribe to a new SaaS tool. Without engaging IT, they sign up, agree to the app’s lengthy list of terms and conditions and away they go. 

However, with a pressing task at hand, most employees are well-meaning. Yet, they’re blissfully unaware of OAuth abuse, an app’s inappropriate data read-write policies, or potentially onerous renewal or cancellation terms.

Well-intended ignorance, of course, isn’t the only reason why employees leave out IT. Unfortunately, it’s possible some employees want to circumvent policies or rules for malicious intent. Some might aim to compromise sensitive corporate data or even introduce security vulnerabilities.

Frictionless SaaS buying enables shadow IT

All it takes is a few minutes to create an account and a credit card. In fact, the 2022 G2 Software Buyer Behavior Report, said that 56% of North American organizations actually prefer using a credit card to buy SaaS. 

Grabbing the card still makes up a substantial portion of SaaS sales in other areas of the world, too. Forty-one percent of organizations in EMEA and 40% in APAC tend to buy using a credit card.

Since employees can easily buy it, SaaS accounts — with your organization’s data – largely grow unknown and unchecked by IT. 

And when those employees leave? All too often, with no SaaS system of record, those licenses linger unused with only an invoice to pay… while a new employee steps in and probably buys yet another new license.

Four hidden risks of shadow IT

For too many organizations, if there is a single SaaS system of record, it’s on a spreadsheet.  

Spreadsheets may be a good place to start, but they have drawbacks. Someone must still manually add all the tools employees use, include the key contract dates, and manually keep it up to date.

However, over time, what happens to that important spreadsheet? 

As employees and IT staff turnover, it loses continuity. Additionally, some people can be less vigilant on updating it. Your spreadsheet-based SaaS system of record then ends up becoming its own unmanageable, worthless, risk-laden mess.

So, as a cautionary tale, it’s important to understand the hidden risks of shadow IT, including:

1. Operational
2. Security
3. Compliance
4. Financial

Remaining unchecked, these four major risks only continue to grow and consequences amplify.

Risk 1: Shadow IT is an operational nightmare

SaaS apps in the shadows, by their very nature, aren’t supported by IT.  If IT doesn’t even know that employees use a given app, they certainly can’t give them the support they need to make the most of an app’s features and functionality. 

Wasted time

In many cases, without organizational and IT support, an app is only a bill to pay that doesn’t add value. Too many users abandon an app that is “too hard to use.” They’ll just go onto the next one. 

And the result? Users spend too much time trying to learn software, and not getting work done. 

The organization loses twice – employees aren’t maximizing productivity and there’s no return on investment for those long-forgotten apps.

Data silos and no backups

Another operational risk is related to corporate data. Stranded within an unknown app, IT can’t make data backups, which can lead to data loss. Nor can an organization take advantage of the data resources within them. Gone are opportunities to share data, collaborate, and find new operational efficiencies.

Contract sprawl

And shadow IT creates another operational inefficiency: contract sprawl. SaaS vendor contracts should be added to a centralized SaaS system of record at the subscription start. Finding them all is very time-consuming, and not the best use of IT time.

Risk 2: Shadow IT poses a multi-faceted security risk

Without IT or security approval, an employee can use a new SaaS app that unwittingly brings a new and costly security threat or compliance violation.

In mere minutes, an unsanctioned SaaS app can bring:

• Unauthorized data collection. This new app that your user signed up for might have improper data read/write permissions; collect and store sensitive data; or integrate with another app that stores your organization’s sensitive data. It could also have overly broad OAuth permissions giving unfettered access to sensitive corporate information. Any one of these could compromise your organization’s data and security posture.

• Inappropriate file sharing. With unknown apps, IT can’t view or control file sharing. As any IT team knows, links are subject to accidental and intentional link sharing. Users can share sensitive data to their personal accounts. They can also accidently share sensitive data to rogue actors, simply because a file sharing setting was left public. Without visibility and no way to detect it until it’s too late, IT can’t even revoke improper shared files.

• Security vulnerabilities. Software that isn’t approved by IT may have unpatched vulnerabilities and security errors. Hackers work diligently to identify application weak spots, and once found, steal app access privileges, intellectual property, credit card data, customer lists or other sensitive data. Because IT doesn’t know about the app, they certainly can’t know about these vulnerabilities or manage the risk.

• Security policy violations. There might be SaaS in your stack that IT doesn’t meet documented security policy requirements. For example, the app might have security technology or processes that don’t meet your company’s requirements. 

Risk 3: Shadow IT poses a compliance risk

Related to security risk is compliance risk. Security violations that result from not following documented security processes are obviously noncompliance.

But what other compliance risks lurk in your SaaS environment? They largely differ by country, company, and industry, but there are some universal compliance requirements.

Data residency regulatory requirements

Some countries or US states may be subject to data location requirements. For example, GDPR requires that European customer data remains within Europe. In those unknown SaaS apps, you could be in violation of these regulatory requirements. 

If caught, your organization is certain to face stiff penalties.

Documented app access approval processes

Many organizations are required to have a documented policy for app access approvals. Different apps will have different processes, requiring approvals from different people. 

Think about a marketing application for a larger company. Assigning a licensed seat to a new hire requires approval from the hiring manager, the VP, and CMO before it can get deployed. This is the documented process, and it’s often automated to ensure IT and the company always follows it.

SaaS apps that are acquired outside of IT obviously don’t follow these compliance requirements.

Shadow artificial intelligence (AI) apps

Your employees are no doubt using public large language models like ChatGPT or Gemini, as well as chatbots, copilots and a host of other AI tools. It’s important to know the apps, so IT can evaluate the risks these apps might present, as well as the employees who use them, so usage is properly monitored.

Sensitive data sharing violations

Depending on the industry, sharing files is limited, even internally. For example, HIPAA requires that sharing is limited to minimum access provisions. Externally, it’s limited to coordination of care or oversight. 

This means file sharing governance is crucial to an organization’s ability to comply with protecting data. If IT is unaware of a shadow IT SaaS app, then it has no visibility or controls on the data within that app, creating potentially large and expensive compliance risk. 

Vendor compliance certification tracking

It’s also essential to know and track compliance certifications for your SaaS vendors.

Let’s say your company is in the highly regulated finance industry. To comply with stringent industry standards, you must use SaaS vendors that themselves met certain compliance requirements like SOC 2.

Furthermore, you’re required to track your SaaS vendors’ compliance certification valid and expiration dates. You probably also need to keep your SaaS vendor contracts together in one place too.

Again, SaaS that is bought outside official IT buying processes skirts all these requirements. 

Risk 4: Shadow IT makes it hard to control costs

Without continually vigilant eyes, new SaaS app accounts multiply fast. Software expenses quickly spiral out of control. 

Unnecessary spending

Thanks to that credit card, some employees can add your organization’s third calendaring app and sixth project management tool. 

Departing employees, who were the business function app owners, can leave expensive app licenses idle. And more likely than not, the next employee adds a new account for the exact same app – or something very similar – that is already in use somewhere in the organization. 

Redundant accounts and duplicate apps that perform the same functions waste money AND prevent volume-based tier upgrades. With multiple small accounts, organizations lose out on better per-seat pricing, access to more capabilities, and premium support.

Accidental cancellations and renewals

Without the clear visibility of a SaaS system of record or a SaaS renewal process, it’s time-consuming and hard to avoid costly “accidental renewals.” It’s equally difficult to prevent important renewals from falling through the cracks. 

How can something this important happen? 

It’s because the SaaS sprawl comes with a sprawl of contracts, and business app owners. And no two contracts are the same. Obscured in those contracts is a maze of different terms and conditions, key dates, and cancellation provisions. 

Thus, keeping track of it all takes a lot of time – which is something that the usual finance, procurement, or IT does not have.

This, of course, leads to the inadvertent missed key cancellation date. Then what happens? Your account automatically renews and you’re on the hook to pay for another term.

Hard to achieve positive return on investment across SaaS stack

Redundant apps and accounts obviously have a lower return on investment than what they could have if consolidated. In addition, if employees use shadow IT apps, IT can’t tell if the organization’s software investments are paying off.

Reducing risk of shadow IT in your SaaS stack

Reducing shadow IT requires the right technology, processes, and policies around SaaS. 

For starters, there needs to be an official policy from top management. A corporate-wide mandate should require IT and security involvement in all SaaS purchases and renewals. While organizations should encourage their employees to suggest new SaaS apps that will improve productivity, IT should always have a seat at the table. 

When it comes to processes, shadow IT monitoring in the SaaS stack is not a “one and done” task. Rather, it’s an ongoing activity for IT. One that’s impossible without technology to continuously discover the SaaS environment, as well as manage in a centralized admin console.

Next, reducing shadow IT risk requires a SaaS system of record that offers more than a spreadsheet. While spreadsheets may be a good place to start, it’s not a tool that helps manage the whole SaaS lifecycle from discovering, buying to managing apps, users, budgets, contracts, files, and automations. 

Enterprises of all sizes need an all-in-one SaaS management platform (SMP) that helps IT manage all aspects of the SaaS lifecycle. Only BetterCloud unifies SaaS spend optimization, user automation, and SaaS data governance in an easy-to-learn and use integrated platform.

Ready to learn more? Download the IT Leader’s Mega-Guide to Saving on SaaS or grab a demo now.