How To Weed Out Shadow IT and Maximize SaaS Investments

According to Microsoft, 80% of users use shadow IT in their work (third-party programs that are not controlled by the company). This can lead to data leaks, system infections, or industrial espionage. Finding the root cause can be difficult. So, how to weed out shadow IT and maximize SaaS investments?

What is shadow IT?

Shadow IT continues to spread like a virus in organizations around the world. The COVID-19 pandemic has only made them harder to track and eradicate. Shadow IT are devices, software, and services that are not owned or controlled by the company in which they are used. Common examples of shadow IT are:

• Cloud storage (Dropbox, Google Drive)
• Productivity applications (Trello, Slack, Asana)
• Unauthorized physical devices (smartphones, computers, thumb drives)
• Communication applications (Skype, VOIP, Zoom)
• Messaging applications on corporate devices (Snapchat, WhatsApp)
• Third-party software (SaaS applications)

At first glance, shadow IT does not seem to be dangerous, but it is not. Next, we’ll look at the problems that shadow IT leads to.

Shadow IT danger

The problem with shadow IT lies not in its very existence, but the lack of control over it. This leads to security, integration, and operational problems:

• Security threat. Shadow IT can lead to information leaks, system infections, and industrial espionage. In highly regulated industries such as healthcare, banking, defense, or energy, this is a critical issue.
• Productivity loss. Unincorporated tools are out of the company’s control. To access an employee’s performance, his or her colleagues must use the same tool he or she uses. But if they don’t have that program installed, what if that tool suddenly becomes unavailable? That costs time.
• Data loss. Imagine what happens to the data stored on shadow IT if the employee leaves the company. They are more likely to leave the company with that employee. The remaining and newly arrived employees will spend a fair amount of time and effort to figure out where what was stored. Or they will simply forget about the data. If they ever need it, it will be a real challenge to get it.
• Too many systems. When you get a lot of duplicate systems, you get in trouble. Uncontrollably installed applications and tools often don’t integrate. They exist separately, complicating and slowing down business processes in the company. The PR department employees are comfortable communicating in Telegram, economists prefer WhatsApp, the sales department exclusively accepts Skype calls, and the IT department tries to unite everyone in Slack. This isn’t useful for the company.

File storage, online versions of office programs, and other cloud services are virtually guaranteed to leak information. You don’t know how, when, or who will process your data. In addition, users rarely use complex passwords and two-factor authentication, which makes life much easier for attackers. Threats also arise when work data is sent to personal email. The good news is that you can fight problems caused by shadow IT.

How to weed out shadow IT?

Even if everything in an organization is good, shadow IT will still be there. Shadow IT is like the shadow economy: you can’t beat it as long as it benefits someone. What to do? First of all, recognize that the problem exists. So, the fight against shadow IT can be broken down into 4 steps.

1. Classify information and regulate the classification

The company and its employees must clearly understand what is public, private, or confidential. Classification will help determine acceptable rules for the use of knowledge. For example, the company decides that sensitive information containing social security numbers is only allowed in a predetermined set of applications. Consequently, employees can`t use this data in other apps that aren`t determined by the company. Otherwise, they will get fine. At the same time, employees should have a little more flexibility to use cloud services for personal information, such as meeting notes.

Management’s attitude to unauthorized IT tools should be articulated, documented, and communicated to all employees. Strictness against regulations violators is necessary. But banning everything is also not the best solution, because it will cause inconvenience to employees. It is better to consider whether the IT department is well aware of the needs of business users. The closer the interaction between the business and IT department, the more flexible the IT policy and the less temptation the business users have to bypass the IT department. And in any case, it is necessary to build IT asset management processes.

2. Examine your shadow IT

The IT department needs to understand how sensitive information is stored and managed internally. According to a survey by IT consulting firm Torii, only 28% of IT leaders use SaaS management tools to control shadow IT. Continuous monitoring using specific tools will help control the situation with shadow IT. One such tool is Microsoft Cloud App Security.

Speaking of technical measures, a regular inventory of IT resources using specialized tools is required. If you use a security scanner, it will not only locate all the devices in your corporate network but also serve as an additional “hygiene measure”. It will find the existing vulnerabilities. A traditional security scanner is a tool that is easy to install and configure to the desired scanning frequency and report details.

Inventorying is a rather time-consuming and laborious procedure, and interpreting the results of a corporate network scan is sometimes not so easy. No wonder outsourcing of such work is rapidly gaining popularity.

3. Analyze the reason for turning to shadow IT

The appearance of shadow IT always has a reason. For example, employees may be uncomfortable with current tools. Then people will start looking for another tool to make their job easier. To take control of shadow IT, a company must provide employees with:

• Convenient portal with the ability to connect and flexibly customize corporate IT services like messenger and file storage. Then everyone will know that any questions should be referred to a common portal.
• The ability to automate their work with the help of no-code tools.

Some companies order trend analysis from independent agencies. They help companies to identify trends for use of shadow IT or third-party applications inside the company. As a result, it becomes easier for the company to fight against shadow IT.

4. Use enterprise tools that give employees automation tools

Employees use shadow IT because they can’t find the functionality they need in existing systems. Or these systems need to be modified by developers and administrators to meet their needs. This is quite difficult from a user’s point of view. When they have easy-to-use corporate collaboration tools that do not require technicians, there is no need to use third-party services.

Conclusion

It is hardly possible to eliminate shadow IT from an organization, especially a large one. But it is possible and necessary to take them under control. To do so, it is necessary to be aware of their presence, formulate a clear attitude towards shadow IT, and control the enforcement of security policy. And also try to make sure that the processes of getting the right IT services to business users are not too slow or complicated.