Welcome to the SaaS-first era, where businesses are embracing a wide range of Software as a Service (SaaS) applications that revolutionize their operations. From email and CRMs to file sharing and AI tools, these SaaS solutions foster innovation, streamline workflows, and ultimately drive profitability. However, there’s a darker side to this tech frenzy: Shadow IT. And, unfortunately, the list of shadow IT examples and risks is only growing.
But so are the solutions that can help.
In this article, we’ll explore the world of Shadow IT, including examples, benefits, risks and solutions that can help IT teams get a handle on it.
But let’s start at the beginning: What is shadow IT?
Shadow IT definition
Shadow IT refers to any IT-related activities happening inside the organization but outside the purview of the official IT department. This includes systems, devices, software, applications, and services used without your explicit approval.
The biggest contributor to Shadow IT is the rise of web-based business applications. This includes sanctioned SaaS and many tools that are not often not considered, but often house critical business data.
4 Shadow IT examples that could affect your organization
1. Unapproved communication tools
Let’s say that your organization’s approved communication platform is Microsoft Teams. However, George, the head of the development team, finds it annoying and prefers using Slack. He decides to switch his whole team to Slack without approval, making the free version of this web-based business application part of your shadow IT.
Such situations are not as unusual as you might think, especially since so many people are working remotely. According to Beezy’s 2022 Workplace trends and insights report, 32% of employees use unapproved communication and collaboration tools.
💡Pro tip: Need to secure support from business and IT leaders for managing shadow IT risks? Grab more shadow IT statistics to make your case.
2. Personal devices used at work
Luke from sales loves his iPhone passionately. Instead of using company-approved devices that are subject to mobile app monitoring, he uses his personal phone for work purposes. He connects to the company infrastructure with his unsanctioned device and sets a trend for the rest of the department, resulting in one of the riskier examples of shadow IT.
3. Personal email for work
Luke still hasn’t learned his lesson. When he’s out in the field, he wants access to his emails because he’s highly focused on providing excellent customer support. However, your organization has security protocols blocking him from accessing his emails while he’s out of the office.
So, Luke uses his personal email account instead. Once again, because he’s such a trendsetter, the rest of the department follows suit. Think this doesn’t happen that often? Statista reveals that, in 2020, 42% of employees used their personal email for work without the approval of their employers.
4. Preferential software choices
Brianna from marketing prefers using a Kanban approach to project management, so instead of using the company-approved project management tool, she uses Trello. She invites her team to Trello and you end up with shadow IT as your entire marketing department switches to unsanctioned tools for daily use.
And it’s not just non-IT folks who are guilty of using shadow IT.
We all do it: quickly log in to get something personal done on the work computer, or hold onto that productivity tool we used at another organization. Statistics show that 58% of IT managers use unapproved tools, so how can we expect anything different from non-IT employees?
If you want to determine your organization’s shadow IT risk factor, take the quiz in the Modern Professional’s Guide to Shadow IT.
What causes these examples of shadow IT?
Why does this happen? How come people don’t go to IT to set up these tools?
According to a study by HP Wolf Security, 91% of teams feel pressured to compromise on security and focus on improving business operations. Of those teams, 50% felt significant pressure. This creates a challenge for employees looking to achieve their organizational goals but feeling as if IT is a roadblock.
Furthermore, in 2021, a report by Beezy revealed that 61% of employees were not completely satisfied with the tools and technologies their company provides. As a result, 40% turned to unapproved tools, even though 85% said they believed their company monitors what they are doing. The 2022 report showed that the situation didn’t improve significantly, with only 42% of employees being completely satisfied with the tech solutions provided by their companies.
So, one of the principal reasons that shadow IT examples abound appears to be that while most organizations are putting pressure on employees to innovate, some are not providing those same employees with the tools they need to do so effectively.
The increasing adoption of web apps has only exacerbated the issue. Our research shows employees are spending less time on desktop applications (38%) and more time on the web (62%) to get their work done, where they access critical business data through SaaS and web tools.
Now, assigning user permissions that block employees from installing applications on their devices is relatively simple to do. But unlike desktop applications, which can be controlled like keys to a locked cabinet, once any browser is installed, it has access to hundreds of thousands of applications like a master key to an entire city.
While it may initially seem innocuous, this unchecked proliferation of SaaS can become a serious security issue for organizations.
Shadow IT benefits: Top 3 reasons it’s so common
Before we look at the risks involved with the many shadow IT examples presented, it’s essential to understand why this phenomenon continues to expand.
Here are three significant benefits of shadow IT, aka reasons why organizations will sometimes turn a blind eye to the issue.
1. Shadow IT speeds up innovation
One of the main reasons employees turn to shadow IT is to become more efficient and effective. For example, your development team might opt to use GitHub over your organization’s approved coding tool because GitHub Copilot enables them to create code much faster with the help of AI.
This not only improves their productivity but also drives innovation in your organization. So, instead of working away on an app for months, it may take only three weeks, allowing for faster iterations and reducing time to market significantly.
2. Shadow IT boosts employee engagement and retention
Shadow IT can also improve employee satisfaction because they can choose the tools they prefer to use. Plus, since most turn to these tools to improve their effectiveness, engagement levels also increase.
According to Gallup, organizations with highly engaged employees are 23% more profitable. Retention also improves, with low-turnover organizations showing an 18% increase and high-turnover organizations exhibiting a 43% improvement.
3. Shadow IT improves IT efficiency
IT departments have long been buried under a sea of help desk tickets, but this issue only increased with the rise of remote and hybrid work. In early 2021, 55% of tech workers stated their workload had increased, with 64% in IT operations specifically claiming the same.
Shadow IT helps reduce that workload. As a result, your IT teams can focus on more critical tasks that drive the business forward instead of being glorified troubleshooters or gatekeepers. They can strategize, innovate, streamline IT processes, implement more robust infrastructure, and more–all of which will take your company to the next level.
Think your organization’s guilty of any/all of the above? Check out your shadow IT risk score with this download.
5 biggest shadow IT risks
While the benefits of shadow IT shouldn’t be overlooked, neither should the risks–especially since shadow IT is everywhere. Gartner estimates that 30% to 40% of IT is shadow IT. The most significant risks don’t necessarily come from the tools or apps themselves, but more importantly from the data they can access.
Need more to convince you to dive deeper into this issue at your organization?
Here are 5 risks of shadow IT (examples included).
1. Security risks
Shadow IT expands the potential attack surface for cyber threats. Without the stringent controls typically exercised by an IT department, these tools could expose the organization’s critical business data or trade secrets.
One of the shadow IT examples that perfectly illustrates the issue is Brianna from marketing. She knows not to use her corporate credentials when signing up for Trello, but someone on her team is not quite as savvy. If these credentials are exposed via a vendor breach or cybercrime, it can potentially lead to a situation where a bad actor could gain unfettered access to additional internal systems.
Shadow IT could also lead to risks if you need to file an insurance claim. Most cybersecurity insurance requirements include an affidavit that you are accessing software with SSO and/or MFA. Ever checked that box, assuming employees were following your IT policy?
You may be at risk should you need to file a claim. Insurers could deny coverage based on misrepresentation of MFA use.
2. Regulatory non-compliance
Compliance could also be jeopardized. With the absence of standard data management, unauthorized tools could mishandle personal data, leading to violations of regulations like GDPR or HIPAA and ultimately costing the company hefty fines.
For example, healthcare organizations deal with a large amount of incredibly sensitive data and are subject to many regulations, including HIPAA. If a team within this organization chooses to use an unapproved cloud-based file-sharing platform to transfer patient data, it could result in a catastrophe if a breach occurs.
Remember our example from earlier about unapproved communications applications?
Additional risks come into play in compliant organizations where usage of sanctioned unapproved communication tools could prove to be costly. In 2022, the SEC issued a $1.1 billion dollar fine to 16 Wall Street firms for using shadow IT communication tools, such as WhatsApp.
3. Interoperability issues and system inefficiencies
Another concern is that shadow IT solutions might not be compatible with the other systems your organization uses. It can lead to data silos, system inefficiencies, and other critical problems.
To return to one of our previous shadow IT examples, Luke from sales (the trailblazer) has been using an unsanctioned CRM (customer relationship management) tool because it works better on his iPhone than the company’s official tool. And he’s dragged the entire team with him.
Unfortunately, the new tool isn’t compatible with the sanctioned software, which is connected to other business processes, such as marketing, customer support, and inventory management. Now, you have siloed data that is challenging to integrate with the information in the official CRM (if anyone even attempts it), which can lead to discrepancies and a slew of other issues.
4. Reduced visibility and accountability
Another critical issue with shadow IT is that it can be challenging to establish clear lines of responsibility for data management. If there’s a data breach, it’s hard to figure out where the fault lies and what issues to address.
Imagine your marketing team uses an unauthorized cloud-based design tool to create and store product strategies. This vendor could potentially have a data breach that allows bad actors access to these designs.
However, the IT department has no idea this application is being used and hasn’t included it in their software inventory. Therefore, identifying the cause of the breach becomes incredibly complicated, thus delaying their response.
5. Financial waste
Shadow IT can also lead to financial waste. As more employees transition to a non-approved tool, the official platform can go unused. However, the organization continues to pay for it.
Furthermore, some of these solutions are challenging to integrate with company systems, potentially leading to increased costs to achieve compatibility and increase security.
According to Auvik’s 2023 Network IT Management Report, 20% of respondents stated that IT budgets and costs represented a challenge for them, which is just one more reason shadow IT requires immediate attention.
Shadow IT solutions
Clearly, shadow IT risks are far from trivial. This phenomenon represents an overall security risk that is steadily growing and needs immediate attention.
However, managing Shadow IT is like trying to catch smoke with a net: the decentralized, covert nature of it makes it a formidable challenge. On the other hand, letting it fester unaddressed is not an option either. It’s a problem that must be solved—and fast.
But where do we start?
Here are some tips.
Establish data classification and loss prevention measures
Classify your company’s data so employees understand what is considered public, private, or confidential. This process is called DLP (data loss prevention). Creating these classifications helps you determine how each type of data can be used and by whom.
For example, you might decide your employees can use their preferred platform to manage schedules or store meeting notes. But any data containing sensitive details such as personal customer information can only be used in certain situations that are pre-approved by senior management.
Conduct a comprehensive audit
A critical step to getting shadow IT under control is to first discover what tools are in use. Conducting a thorough shadow IT audit will help you discover how widespread it is at your organization and/or at your clients’, which is the first step toward finding an effective solution.
You have two options in terms of methodology: manual and automated.
Smaller businesses could, potentially, conduct a manual audit, using surveys and spreadsheets, for example. On paper this might sound like a good option, but there are downsides to the manual approach.
First, a manual audit is quite time consuming. Second, it can be inaccurate and unlikely to be the full picture. Consider that you’re basically asking people about something they shouldn’t be doing in the first place. How forthcoming do you think they’ll be?
People might also not mention tools they’re using because they don’t think it’s a problem. “Oh, it’s only a tiny little thing and I really use it only for myself. I don’t have to mention it because surely it doesn’t matter.” You’d be surprised how many people think that way, particularly for tools they don’t perceive as important.
Once you collect the data, you have to create a system for storing, updating and tracking the app usage. This means conducting regular audits, since employees aren’t going to stop using shadow IT just because you’ve asked them to. And no, instituting penalties won’t work either. It’ll merely ensure people are no longer honest.
Most businesses will need to consider more automated options, such as SaaS management platforms. These platforms not only help discover what shadow IT apps are in use and how, but also provide continuous monitoring, so your catalog is always up to date.
More on this in the following section.
Invest in SaaS management tools
Let’s revisit our comment earlier about trying to capture shadow IT is like catching smoke with a net.
At home, you have a smoke detector. It might not prevent the fire, but it will mitigate risk by alerting you to the early signs of one. This enables you to act before the situation spirals out of control.
Similarly, you need a mechanism in your IT ecosystem that can detect the “smoke” of Shadow IT. It’s an early-warning system that allows you to act swiftly and decisively.
Here’s where SaaS monitoring tools, like Auvik SaaS Management, enter the picture.
Just as smoke detectors protect your home, SaaS discovery and management tools protect our businesses. They provide complete visibility into all SaaS applications in use, identify unauthorized usage and rogue user accounts, and help you respond to Shadow IT before it spirals out of control.
Imagine if a smoke detector could alert you to a new fire hazard entering your home, monitor it for potential issues, give you tools to avoid escalation, and then send loud alerts when it’s on the verge of doing so–now you’re getting closer to what these tools can do. It’s like having an intelligent smoke detector and firefighter rolled into one. The only thing it can’t do is look good on a calendar. For now.
A SaaS management platform saves time by automating the process of documenting accounts and tracking SaaS apps. They can identify all the business applications in your business. They can monitor your entire organization in real-time, completely on autopilot, and only alert your IT staff when there are potential issues. And they can determine those potential issues before they become a serious problem through employee access analysis.
They can also build checklists for employee off-boarding that help remove employee access completely. According to Help Net Security, nearly 83% of employees continue to access old employer accounts.
Through comprehensive software inventory management, generation of regular business Shadow IT reviews, and simplified offboarding of employees, SaaS management tools can help tackle the Shadow IT problem effectively. They can also save significant resources in the long run by identifying hazards that you can fix before they escalate. This frees up your team to focus on tasks that drive the business forward.
Foster a culture of open communication
Consider encouraging your employees to share their needs and the tools they would prefer to use. Also, implement a clear approval process to request new software or hardware. If people have a process to follow (and know what it is), it reduces the temptation to resort to shadow IT.
However, to ensure you don’t have a slew of shadow IT examples in your organization, don’t refuse every request for a non-approved tool. If the request makes objective sense and would enhance the employee’s productivity, at least explain your reasoning and provide an alternative.
Consider compromising on shadow IT tools
If one of these shadow IT tools proves to be valuable, consider integrating it into your application stack. Of course, make sure to first review it thoroughly for security and compliance.
This willingness to compromise will further reduce the temptation of shadow IT. Employees see that you are open to fulfilling their needs and may be more likely to use official channels for requests, instead of resorting to shadow IT.
Also consider your IT department’s response times to these requests. According to Statista, 38% of employees resort to shadow IT because of slow response times from the IT team. Not only that, a report from Entrust shows that only 12% of IT professionals follow up with these requests.
Instituting clear processes and ensuring your IT department has the bandwidth to respond in a timely manner helps reduce the threat of shadow IT in your organization.
Educate your employees
Though people use technology far more than even a decade ago, that doesn’t mean they are also tech-savvy. They might not understand the risks involved, which is why implementing a comprehensive training program is essential.
Nothing can protect you from the risk of the aforementioned shadow IT examples like awareness. Everyone should know about the policies, guidelines, and potential consequences that could not only affect the company but customers too.
Auvik SaaS Management (ASM)
Don’t let Shadow IT lurk in the dark corners of your organization. Illuminate it. Understand it. Control it. To do this, consider a SaaS management tool like Auvik SaaS Management. With its holistic visibility, proprietary SaaS Health Score, and real-time alerts, Auvik provides a robust solution to your Shadow IT problem.
Not ready for a software solution?
Start with gauging your company’s shadow IT risk by taking the quiz in the Modern Professional’s Guide.