Shadow IT — the adoption of unsanctioned hardware, software, applications, and services within an organization — has long plagued IT. A recent CORE research report found that shadow IT usage has exploded by 59% since organizations widely embraced the remote work model, with 54% of IT teams describing their organizations as “significantly more at risk of a data breach” due to this surge.
What is driving the uptick in shadow IT — and how can organizations safeguard their employees and networks from the risks they introduce?
Two culprits are the increase in cloud adoption and the rise of remote work. The modern workforce is increasingly agile and dispersed, operating from locations and devices that IT has limited visibility and control over. Employees, whether working on-site or remotely, have preferences for tools that help them to get the job done. When those tools don’t align with the list of applications IT has already approved — or are used to fill in gaps where no tools have been provided — this spells trouble for many organizations.
According to a survey by Stratecast and Frost & Sullivan, 80% of employees adopt SaaS applications without IT approval, exposing their corporate network to a myriad of security threats and vulnerabilities.
Before organizations can stop the spread of shadow IT, however, they must first understand a) what it’s costing them, b) why their employees are still using it, and c) what discovery and remediation tools can help.
In 2021, IT management company Insight Global suffered a data breach that exposed the personal information of approximately 70,000 Pennsylvanian residents. The company was contracted to assist the state health department’s COVID-19 contact tracing efforts, but compromised the information they collected when employees started “several Google accounts for sharing information as part of an ‘unauthorized collaboration channel.’”
While the Pennsylvania health department couldn’t trace the leaked data to any serious misuse, the incident still underscores just how easily shadow IT can weaken an organization’s security posture.
When IT lacks visibility into the tools and accounts that employees are using, they have no way of ensuring that sensitive data and resources remain within the corporate perimeter. As a result, they cannot evaluate tools for security flaws, enforce proper security controls, monitor and restrict data movement, meet compliance requirements, or anticipate data breaches and attacks triggered by vulnerabilities within these unmanaged applications and services.
Unlike the Insight Global data breach, most attacks are costly and time-consuming to remediate (averaging $4.24 million per data breach, according to IBM), especially when IT is not made aware of the applications or accounts that have been compromised. In a study by Forbes Insights, one in five surveyed organizations suffered a cyber attack due to shadow IT, while less than half of respondents felt confident that their organization could recover from a cyber incident without significant business impact.
Left unchecked, shadow IT not only increases the risks of cyber attacks, but also drives up other costs. Given the expansion of remote work and the proliferation of cloud-based tools and services, shadow IT adoption makes up a significant percentage of IT spending at large organizations. In a survey by NetEnrich, 59% of IT decision-makers said that IT spending and overruns were a major concern for the future.
Controlling shadow IT can be an arduous process, even for the most diligent IT department. According to Productiv, enterprises employ anywhere from 270 to 364 SaaS applications on average, with unsanctioned applications making up 52%.
Before organizations can take steps to identify and remediate the risks introduced by shadow IT, they need to understand why employees still adopt it. Often, employees are unaware that using unmanaged tools, devices, and accounts can create sizable security gaps. Instead, their reasons for adopting shadow IT typically fall into one of three categories:
Employees gravitate toward tools that are convenient, effective, and solve for specific business purposes. And if an organization doesn’t provide the tools and resources that employees need, they’ll find their own. Per IBM, 67% of employees at Fortune 1000 companies use SaaS applications that have not been explicitly approved by internal departments.
Employees may not understand the cybersecurity risks of shadow IT. Employees may not be aware that they have to get IT approval for new tools or realize how much they’re risking by introducing unapproved applications and services to the network.
IT policies and approval processes may be unclear or nonexistent. Getting IT approval can be challenging, time-consuming, or even impossible due to budget constraints, security concerns, or other reasons. And some organizations may not have established policies around the adoption of applications, inadvertently encouraging employees to adopt new tools without first disclosing their usage to IT.
Due to the prevalence and shifting nature of shadow IT, there is no one-size-fits-all solution that works to detect and combat vulnerabilities in unmanaged tools and services. However, there are several key strategies that organizations can take to minimize their spread and impact, including the following:
Adopt a shadow IT discovery solution. Shadow IT discovery can help IT detect and log all applications in use across their network, even those that employees haven’t yet disclosed. Once IT has cataloged all approved and unapproved tools, they can evaluate them for security flaws or misconfigurations, place access and data protection policies in front of them, and more effectively manage employee access to them.
Educate employees about cybersecurity. Educating employees about the risks of unapproved tools and accounts can go a long way toward preventing the adoption of shadow IT.
Establish internal shadow IT policies. Creating policies around the adoption of new technology and continually informing the organization of these policies allows IT to thoroughly vet new applications and services before they are rolled out, effectively slowing or stopping the spread of shadow IT. And by establishing concrete steps for the adoption and management of new applications and tools, organizations can lessen employee frustration and help them work more efficiently with the tools they need to get the job done.
Mounting an effective defense against shadow IT begins with Zero Trust: a security model built on the principle that no user or device should be inherently trusted to access corporate resources. By placing Zero Trust controls in front of corporate resources, organizations can ensure that their employees only have access to sanctioned applications via sanctioned accounts, making it more difficult for users to view, share, and move data across unsanctioned apps.
Cloudflare Zero Trust gives IT full visibility and control over approved and unapproved applications and helps minimize the risks of shadow IT and other security concerns.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
After reading this article you will be able to understand:
Why shadow IT has exploded by 59%
What drives 80% of employees to adopt unsanctioned SaaS applications
How 1 in 5 organizations suffer a cyber attack due to shadow IT
3 key strategies for minimizing shadow IT adoption
To learn more about how Cloudflare mitigates shadow IT, get the Zero Trust visibility and control of every SaaS application solution brief.
Get the solution brief!