It’s no secret that the transition to hybrid work significantly increased the risk of security threats. In fact, 74% of security leaders report seeing more attacks since the start of the pandemic.
One element that can put your organization at risk for such a security breach is shadow IT — business applications used by employees without the IT team’s knowledge. Because these tools are unknown, they circumvent normal risk assessment processes and can potentially introduce serious threats to the organization’s technology ecosystem.
Businesses with hybrid operations run a greater risk of shadow IT. So, as companies navigate the future of work, IT security teams need to develop a SaaS management strategy to mitigate and address their shadow applications. By managing SaaS applications more closely, IT leaders can mitigate the security and compliance risks shadow IT poses to their organizations.
The dangers of unregulated applications
SaaS purchasing rose 26% YOY during the initial months of COVID-19, as employees adopted new tools to manage their digital responsibilities, collaborate with coworkers and connect with customers. To be fair, the adoption of cloud-based applications was already on the rise before the pandemic, largely due to the efficiency and productivity gains that can be achieved using SaaS solutions.
SaaS offers tremendous value to organizations, but the unmanaged growth of SaaS can introduce increased risk. Unregulated SaaS prevents IT from conducting the typical vetting procedures that help maintain security and compliance. Curtailed vetting procedures may include penetration testing, intrusion detection, security information and event management (SIEM) systems, or threat log management. Shadow applications are also less likely to be integrated with user-based security processes (such as single sign-on platforms).
The lack of vetting and control places organizations at a higher risk of a data breach. One in five organizations have suffered from a data breach due to shadow IT. And the consequences are costly. According to estimates from the Ponemon Institute, the average breach costs over $8 million.
It’s important to recognize that shadow IT also makes your organization more vulnerable to non-compliance risks. Regulations like HIPAA, GDPR and CPRA specify how companies can use, store or transfer consumer data — and shadow applications that fail to comply with these regulations could cost you tens of millions of dollars in fines.
How do you solve a problem like shadow SaaS?
Exactly how widespread is the problem of shadow IT? Well, it’s easier than ever for an employee to adopt SaaS without the IT team’s knowledge. All they need is a credit card — that’s why organizations average over 600 applications and on average gain 10 new applications monthly. Even in organizations that prohibit the expensing of software, we’ve found that employees will misclassify the purchase and neither finance or IT have the tools to detect these renegade applications.
Widespread, decentralized purchasing is clearly the primary driver of shadow IT. Alarmingly, IT controls only a quarter of all applications and 42% of SaaS spending. This means the majority of applications enter an organization’s tech environment without IT’s knowledge and exist as shadow IT.
To make matters worse, very few organizations have an established shadow IT discovery process. Often, IT teams create a spreadsheet to inventory their SaaS and manage applications through manual methods. These processes include surveying employees, pulling cloud access security broker (CASB) reports and analyzing purchasing data. But even the best kept manual inventories are burdensome, go out-of-date quickly, and fail to uncover all shadow applications at use in the organization.
While it may be tempting to restrict SaaS purchasing to only IT or procurement, it’s an unrealistic strategy. For starters, it’s impossible to prevent employees from accessing applications while using a public network – and as mentioned above, employees will often find a workaround. But it’s also bad for business. Nearly all employees (97%) say they’re more productive when they’re allowed to use their preferred technologies. And 77% believe their organizations could gain a competitive edge if leaders were more open to finding tech solutions.
The solution to shadow IT isn’t to cut back on SaaS — and consequently miss out on gains in productivity and innovation. Rather, your organization needs to identify better ways to detect and govern the shadow applications your employees are using.
How to develop a SaaS management strategy that eliminates shadow IT in a hybrid work environment
A SaaS management strategy can help eliminate shadow IT while empowering employees to use their preferred technologies. By following these steps you can create a SaaS management strategy that will help your organization stay innovative, secure and compliant in the hybrid work era:
1. Uncover all cloud-based applications.
As discussed earlier, tracking applications in a spreadsheet is time-consuming and inaccurate. A better alternative is to leverage a SaaS management platform with a discovery solution powered by machine learning. These solutions integrate with your expense management systems, like Expensify and NetSuite, to identify SaaS purchases as they’re made – even if the purchase is misclassified – so you can then vet them for security and compliance. Some platforms even compile important information — like contract renewal dates, terms of agreement and application utilization — to help you maintain oversight.
2. Build relationships with SaaS buyers.
The next step is to form relationships with SaaS buyers. Over a third of employees say their organization lacks clarity on the consequences of using technology without IT approval. By educating employees on security risks and best practices for technology acquisition, you can minimize shadow IT at the source.
Collaboration between SaaS buyers and IT can also improve your organization’s digital transformation efforts. IT can work with business leaders to identify common problems, inefficiencies and the best SaaS solution. This ensures digital transformation efforts aren’t siloed and technologies will support cross-departmental collaboration.
3. Define strategy for ongoing SaaS governance.
Considering organizations’ average hundreds of applications, you’ll want to develop processes that streamline SaaS management. Assign responsibilities across your IT team to ensure SaaS management is an ongoing priority. Additionally, set up an approval workflow for any new SaaS tool — especially if it needs to be reviewed by stakeholders outside of IT.
Lastly, decide which applications will receive direct IT support and which will be vetted by IT, but remain managed by employees or business units. Categories can range from IT-owned (mission-critical tools) to department-owned (function-specific tools) to employee-owned (role-specific tools). This ensures technology managers can reserve their efforts for the most important tools while still preventing shadow IT.
SaaS is on the rise, but shadow IT doesn’t have to be
Shadow IT in the form of unknown, ungoverned applications, is certainly something security leaders should eliminate. However, recognizing your employees are better suited to make their own technology investments will help your organization be more effective.