Shadow IT aka Unmanaged Applications

Introduction

With the consumerization of information technology and steadily increasing adoption rates of cloud-based services, shadow IT has become an important topic that won’t go away anytime soon.

In fact, current trends show that individual employees are responsible for 50% of all cloud app purchases, while 35% is procured at departmental levels and only 15% can be subscribed to IT teams. This means that the majority of purchases happen without the knowledge of the IT or security group within an enterprise.

In this article, you’ll learn more about shadow IT, the associated risks, costs, and benefits, and how to successfully discover and manage the software that’s off the radar.

What is shadow IT?

Shadow IT describes the procurement and use of IT-related hardware or software without the explicit approval of IT departments. This includes hardware, off-the-shelf packaged software but most commonly cloud services, including SaaS (software as service) and IaaS (infrastructure as service).

Even though unmanaged apps can refer to many things, the main concern enterprises have today, is the increase of SaaS applications that haven’t been approved by IT departments. After all, employees feel increasingly comfortable with downloading apps and services that help them get their job done.

And while this relatively new phenomenon comes with its risks and challenges, it also has its benefits like increased productivity, fewer bottlenecks, and immediate problem-solving. It creates a gap between Business and IT — Business Led IT embraces innovation and productivity but the key is to ensure it is managed properly: Efficiency, Productivity, and Security. Thus, shadow IT doesn’t deserve the negative reputation it currently has.

Next, learn about the most common shadow IT examples and the three main software categories they belong to.

Shadow IT examples

Most SaaS applications that are purchased by individuals and lead to shadow IT fall into one of the three main categories: productivity, communication, and collaboration. As there are constantly new providers and applications with various new features, employees tend to choose the apps that best suit their needs and update software whenever they see fit. Below are some examples of typical shadow IT applications.

Productivity: More often than not, these are apps for better project management like Trello or Hive that allow employees to assign tasks and keep track of time and progress. Other productivity apps are designed for social media management like Hootsuite or help employees check the quality of written output like Grammarly.

Communication: Especially with an increase in remote job opportunities, communication tools are more important than ever. SaaS applications like Slack allow for easy communication and video conference applications like Zoom or Webex help remote teams hold video conferences and allow screen sharing.

Collaboration: Since sending big attachments via email isn’t always possible, most teams use different file-sharing tools like Dropbox or OneDrive to upload and share files. And of course, there’s a whole collection of SaaS tools for working collaboratively. The best example is GoogleDocs or apps for better workflows featuring discussion boards and real-time notifications.

When it comes to hardware, common shadow IT includes items like servers, PCs, personal laptops, tablets, smartphones, or hard drives.

Why do employees use shadow IT?

There are a few reasons why shadow IT applications have become more common in almost every enterprise. One of them is directly linked to the rapid growth of cloud services or software as services that are easily accessible for employees on all levels.

Remember that 85% of all cloud app purchases are made by non-IT team members. Plus, the average employee is becoming increasingly tech-savvy and doesn’t usually wait for IT teams to approve of solutions that enhance their efficiency and productivity.

On top of that, most businesses experience a shortage of developers. That means teams take matters into their own hands instead of waiting for busy IT experts to develop an in-house solution to a problem.

More often than not, there is also a mismatch between the business and developers – many applications designed for developers neglect certain business aspects which lead managers and their teams to look for quick fixes.

Latest shadow IT statistics

Since shadow IT seems to be on everyone’s radar, there is an increasing amount of research investigating its usage and impact on enterprises around the world. Below are five recent Shadow IT statistics that might leave you surprised.

• According to a McAfee study, 80% of employees admit that they have been or are using non-approved SaaS applications to get their job done.
• Research by the Everest Group suggests that more than 50% of all cloud spend occurs outside of the IT department.
• NCSC (National Computer Security Center) found that 60% of enterprises fail to include shadow IT in their IT threat assessments.
• A survey by Entrust Datacard found out that 77% of the asked IT professionals believe that organizations could gain a competitive edge by embracing shadow IT.
• In a survey by The Cloud Security Alliance, only 8% of the asked global organizations believe they have a grasp on the number of unmanaged cloud apps in use at their company.

As the above data suggests, shadow IT is difficult to control and still an untapped field for most organizations. However, it doesn’t have to have a strictly negative impact on a company but can be a source of employee productivity and empowerment. But first, learn about the specific risks that are associated with shadow IT.

What are the risks of shadow IT?

Considering how many employees procure SaaS applications without prior IT approval, there are certain risks that are growing alongside the amount of shadow IT. However, if IT departments and leadership know about these challenges, they can make better-informed decisions and mitigate problems as soon as they arise.

Below are the 5 biggest Shadow IT risks that you should be aware of:

Security issues: With more than half of all organizations not including shadow IT in their IT threat assessments, shadow IT introduces new security gaps to any enterprise. While some applications might be harmless, others could promote data leaks. Thus, IT departments should at least be informed about which apps are being used for file sharing and more.

Non-Compliance: To protect their customers, clients, and business partners, organizations are subject to stringent compliance regulations that are enforced by their respective governments. In case of non-compliance due to shadow IT, a company can face hefty fines should unapproved software jeopardize the confidentiality of sensitive data.

Configuration management: IT departments invest a good amount of their time to create the perfect IT workflow with the help of a configuration management database (CMBD). When shadow IT is introduced, it’s likely not supported by the CMDB as the right people don’t know of its existence. This could lead to a disruption of the existing system workflow.

Collaboration inefficiencies: When teams rely on different apps to get their job done, collaboration might decrease or become less efficient. Example: If one team uses Google Drive for file sharing and another team uses Dropbox, documents will get uploaded, downloaded, and edited multiple times.

Lack of Visibility: Shadow IT truly lives up to its name, meaning that it is invisible to IT departments. Even though SaaS applications typically don’t take up much space, they can impact the bandwidth or simply break. If a team heavily relies on a broken app that IT doesn’t know about, it’s difficult to provide quick fixes or solutions.

Shadow IT benefits

While the risks and challenges that come with shadow IT can’t be denied and shouldn’t be ignored, there are also numerous benefits that enterprises are starting to embrace.

• Improved productivity. When employees find that the current solutions aren’t sufficient, they’re looking for ways to increase their productivity by using suitable SaaS applications. That way, they also get to use the tools that they prefer.
• Employee satisfaction. Slow IT approval processes can cause great frustration and a lack in motivation. However, if employees are being empowered to find their own solutions, their satisfaction goes up and ultimately, also their quality of work. On top of that, new technology trends are being adopted much more quickly if every employee keeps an eye out for new tools.

However, keep in mind that it’s important to communicate the risk of shadow IT to your employees and let IT teams review new solutions in an unbiased manner.

Shadow IT costs

It’s not a surprise that the outlined shadow IT risks also come with a financial burden. And there are various types of costs that can occur when the negative aspects of shadow IT start outweighing their positive ones. But where do these costs come from? Most of them fit into one of the two categories below.

• Security costs: When technical oversight is lost, data breaches or ransomware attacks can occur much more easily. And in the worst-case scenario, these incidents cost companies millions of dollars – in the US, a data breach costs a company $8.19 million on average. Then there are also compliance costs: Organizations in highly regulated industries can incur high penalties for using unauthorized applications.
  
  
• Operational costs: Shadow IT could be in the way of long-term IT strategies and accumulate operational costs that could be avoided. Reasons are under-utilized licenses, duplicate licenses, and missed discount opportunities for organization-wide procurements. Plus, there’s a good chance that shadow IT isn’t properly integrated, which causes compatibility costs, and hampers productivity between teams.

How to discover and manage shadow IT?

The more your organization adopts a cloud-first approach, the more you will have to deal with shadow IT. However, you don’t necessarily have to suffer under the challenges and associated costs. In order to mitigate the risks and to embrace the benefits that this trend has to offer, shadow IT needs to be discovered and properly managed.

The shadow IT governance process described below enables you to discover, manage, and audit any unknown application employees use within your organization.

1. Automate shadow IT discovery for full visibility

In the first step, you need to know what is actually in your environment. Discover all apps in your software portfolio by using automated SaaS management or Software Asset Management (SAM) platforms, or employee surveys (spreadsheets). Keep in mind, manual discovery methods prove to be inadequate and time-consuming especially within bigger organizations.

Once you have a complete inventory, you’ll be able to store a variety of characteristics for each application, e.g., application owner, number of licenses, seats, users, total spend, purchase type, renewal period, etc. Knowing each characteristic will enable you to establish accountability of applications that will help you to act on the findings moving forward.

2. Schedule risk assessments

Do apps comply with your enterprise’s standards? With an overview, you can perform risk assessments on all applications you discovered in the first step. You can also find out if an app is associated with a recently published security breach. Assessments described below can prioritize actions you take. These can be done based on the following criteria:

• Data security risks: Analyze security certifications and technical measures maintained by the vendor.
• Regulatory compliance: Gather information where data is stored, who has access, and vendor compliance certifications (GDPR, CCPA, SOX, and HIPPA).
• Business risks: Assess whether vendors are future-proof and can generate lasting value for customers and shareholders.

3. Analyze application usage

In the next step, you can leverage integrations and API connections to track application usage patterns and identify underutilized purchases. Best practices to analyze applications is, to begin with:

• Significant cost item services first and focus on the rest of the portfolio afterward. This helps you determine if apps your employees are using have sufficient ROI.
• Gather usage data and measure utilization to detect inactive and underused applications.
• Categorize applications and determine functional overlap to compare usage.

4. Evaluate and rationalize applications

Data gathered from the previous steps helps you rationalize applications according to which applications are needed, by whom, and for how long. At this stage, companies must define their needs and take steps to optimize or retire unused software. Best practices for evaluation and rationalization can be done through:

• Map each app into different categories or give it star reviews: non-essential or one-star (deprovision immediately), redundant app or two stars (if possible, migrate to more utilized app), under-used or three stars (provide additional training or implement better solution), and essential or four stars (leave as it is).
  
  
• Start with software that supports core workflows e.g., project management apps, file sharing, sales intelligence, etc.
  
  
• Consider renewal dates and build a cadence of sunsetting duplicative tools.

5. Implement buying and renewal processes

With a controlled intake and usage awareness, companies can build a process around buying SaaS applications to avoid recurring rationalization. Best practices around buying and renewal processes are to:

• Implement a template for software requests that includes a business case from the budget owner to assess where the tool fits in the organization.
• Extend the process to new tools and those up for renewal; build out a renewal calendar and set up timely alerts.
• Establish relationships with department heads and communicate processes with existing employees and make part of new employee onboarding.

6. Continuously monitor and review

Since there’s constant movement in a cloud environment, you need to keep monitoring your network and keep a record of new applications. Plus, many SaaS apps are updated on a daily basis, so there might be policy changes that you shouldn’t miss.

Automated monitoring ensures repeated rationalization and reduces the need for overly-controlling centralization measures or cuts in the wider enterprise. Regular reviews will help make sure:

• Sensitive internal data is not given to unvetted vendors, limiting security risks.
• Employees are using applications that comply with compliance policies.
• Software costs are managed effectively and under control.

Shadow IT is an opportunity

In this day and age, shadow IT comes with the territory of cloud-based environments and is difficult to avoid. That’s why you should focus on its benefits while managing the associated risks in an effective way.

By understanding what shadow IT is and knowing its potential impact on your enterprise, you can address challenges and create a culture of employee empowerment and productivity. This involves strategic shadow IT discovery, getting all departments on board, and the openness to technical innovations even if they disrupt the status quo.

After all, employee satisfaction translates into productivity which has a positive effect on your products, customers, and overall growth.