The staying power of shadow IT, and how to combat risks related to it

There was a time, not too long ago, when most IT leaders believed shadow IT was a negligible element in their companies. They felt their IT organizations were so in control of what applications were purchased and who was granted access and that minimal adoption occurred without their knowledge.

Those were the days when centralized IT was the norm, and the idea of business-led technology acquisition wasn’t thought to be realistic. “Not happening in my backyard,” was the belief (if not the policy).

As the pandemic drove companies to adopt cloud apps so that remote workforces could continue to do their jobs – and as employees necessarily became more independent and felt empowered to purchase the apps they wanted – the awareness of shadow IT’s existence changed.

Organizations today are very aware that shadow IT exists in their “backyard”, and that the more unknown apps and uncontrolled access they have, the bigger their attack surface is. But they’re still surprised that they often have 2 times or more cloud apps than they believe they have.

Why shadow IT remains underestimated

Today’s volatile economy is putting more pressure on companies to reduce their IT spend. With SaaS adoption and spending having spiraled largely unchecked, many organizations are starting to put more emphasis on finding and eliminating redundant and under-utilized applications, unnecessary access, and wasted licenses. This has made getting a handle on shadow IT a priority.

That’s good news for security, but doing it is difficult to do in today’s distributed workplaces. It’s been estimated that more than 50% of IT application acquisition is now business-led, and that the average company still adds 18-20 new applications every month to its portfolio. The majority of these are acquired without IT’s or procurement’s knowledge – not for any nefarious reasons. Employees are simply laser-focused on doing their jobs well. They know what tools they require better than IT or procurement would know. And waiting for IT or procurement to go through their evaluation and acquisition processes would take longer than these users are willing to wait.

The problem, when it comes to uncovering shadow IT, is that information about what applications exist and who has access to them is spread across a company, in many different silos. It lives in the files of sometimes hundreds of business application owners – end-users in marketing, sales, customer service, finance, HR, product development, legal and other departments who acquired the applications.

How do most organizations go about finding this data? They send emails, Microsoft Teams or Slack messages to employees asking them to notify IT if they have purchased or signed up for a free app, and who they’ve given access to (and hope everyone will respond). Then IT manually inputs any information they get into a spreadsheet. Of course, with applications being continually added and user access changing daily, it’s impossible for any human to keep on top of this. Those spreadsheets are out of date almost the moment they’re created or updated.

Single system of record

What’s needed is a single, reliable system of record: a centralized place that contains current information about every application, its users, usage, risk profile, and status as sanctioned or unsanctioned.

The data must be automatically and continuously collected and normalized. It must be made available to all SaaS management stakeholders, from the people who own and must therefore take responsibility for managing their apps, to IT leaders and admins, IT security teams, procurement managers, and more.

SaaS Management Platforms (SMPs) are increasingly being used to automatically discover known and shadow IT apps and their associated users, usage, costs and risks. Some SMPs provide advanced role-based access that makes it even easier for SaaS stakeholders to uncover the data they specifically need and take targeted actions.

With real-time information about new and existing shadow IT and sanctioned applications and users available at their fingertips, IT and IT security teams can confidently rely on this data as their single source of truth. They can easily see applications that are at-risk due to being unsanctioned and/or being accessible by former employees and contractors who were never offboarded. And they can take actions to evaluate unsanctioned applications and remove licenses from unauthorized users.

Cybersecurity training needs more attention

Having a reliable system of record for application-related information is essential. But to combat cybersecurity vulnerabilities, it must be paired with educating company employees on what they should personally do to help minimize risks. For instance, how to recognize and avoid falling for phishing attacks, and why acquiring and integrating applications without IT and security teams’ knowledge puts the company at risk.

But a recent Torii survey found that only 15% of IT leaders and managers rated security training and education the strongest weapon in their cybersecurity arsenal.

Remote workforces make companies even more vulnerable – and 80% of employees are working either entirely remotely or in hybrid environments, according to a survey conducted by Gallup. Additionally, Hornet Security found that 33% of companies are not providing any cybersecurity awareness training to users who work remotely, highlighting the gaps organizations face when prioritizing security.

Business-led IT is here to stay and so are shadow IT applications. If your company doesn’t already have a way to automatically discover all cloud apps and users and isn’t stringent about cybersecurity training for all employees, now is the time to put these tools and practices into place.