“Many IT decisions are now distributed throughout the organization at the line-of-business level. From a security point of view, it’s a nightmare scenario”
What is Shadow IT?
Shadow IT is the use of devices, applications, and services that haven’t been sanctioned by the IT department. It is something that IT teams have had to contend with in various shapes and forms for many years, most notably when employees used to download files onto a floppy disk or USB drive to work from home. A modern example of Shadow IT is the adoption of SaaS services where end users are easily able to use web-based services without the need for centralized IT to deploy and implement.
Why do employees use Shadow IT?
- Sanctioned work applications experience difficulties such as persistent latency, system errors or the end-user is unable to login, so they turn to an alternative solution to get the job done.
- Having to go through official channels can be time-consuming and there is always the danger that someone is going to say ‘no’, so rather than consult IT, the business unit may procure it themselves.
- End-users may just have a preferred service. The sanctioned service may not have all the needed features or the end-user may not have experience with it, so reverts to their favored solution.
Regardless of the motive behind Shadow IT, it can incur a number of costs for a business:
- Security and compliance costs: compliance fines, potential security breach costs including remediation and reputational.
- Operational costs: wasted SaaS investments, decentralized IT budget, and increased productivity costs.
In this article, we’ll look at some of the SaaS Shadow IT trends, financial costs which can be avoided, and how you can embrace Shadow IT.
Shadow IT trends
Some recent trends highlight the financial and security implications of Shadow IT:
- Gartner’s studies found that between 30 and 40% of IT spending in large enterprises goes to Shadow IT while Everest Group puts it closer to 50%.
- Core found Shadow IT has exploded by 59% due to Covid-19, with 54% of IT teams considering themselves ‘significantly more at risk’ of a data breach.
- NCSC found 21% of organizations experienced cyber events due to a non-sanctioned IT resource.
- NCSC also found 60% of organizations don’t include shadow IT in their threat assessment.
The IT leader’s security challenge with Shadow IT
NCSC found that:
“46% of IT leaders believe that direct purchasing of software-as-a-service, personal and business applications and other unsanctioned software by individuals and business units makes it impossible to protect all their organization’s data, systems, and applications all of the time.”
NCSC also found that 1 in 5 organizations suffered a cyber-attack due to Shadow IT.
Organizations scrambled to enable remote work in 2020, which added new security risks across networks, the cloud, endpoints, and the edge. Moreover, SaaS applications became attractive targets, representing 45% of incidents in IBM’s cloud-related study. IBM concluded in these cases, adversaries took advantage of configuration errors and any vulnerabilities within apps, many of which were undetected due to employees using unsanctioned services.
What is the cost of Shadow IT?
Shadow IT can incur additional security event and operational costs:
The security costs
- Data breach costs: Typically, an IT team would conduct technological due diligence to ensure that a service meets certain requirements, particularly in terms of security. When SaaS procurement is spearheaded by business units as opposed to IT leaders, this technical oversight is lost. These Shadows apps are also inherently less secure because they haven’t been integrated into the organization’s security workflows, and increase the risk of breach.IBM found in their Cost of Data Breach Report on average, a breach cost enterprises a whopping $3.86 million. They also found data breaches due to cloud misconfigurations resulted in the average cost of a breach accelerating to $4.41 million, half a million up from the previous year. If Shadow IT is in use, if improperly managed, it is going to increase your risk. The service won’t be integrated with your security stack and will likely have minimal protections in place.
- Compliance costs: In highly regulated industries, it’s vital to get visibility on Shadow IT so you can control your regulatory liability. For example, many organizations, like the US Army and Navy, have banned TikTok because of GDPR compliance concerns believing the app shares sensitive data with third parties like the Chinese government.
NCSC also found in their study 56% who suffered a cost due to a security incident with their SaaS app were not compensated by providers. Moreover, many executives have bought cyber insurance to help with unprecedented costs, however, only 4 in 10 believe their insurance package covers data recovery and crisis management.
The operational costs
Where Shadow IT does arise, it can hinder long-term IT strategies.
- Under-utilization: if Shadow IT is left unmanaged, it can be problematic for the uptake of centralized services. If the Product team purchases its own project management tool, it will probably mean that the centralized service is under-utilized and unnecessary licenses would have been purchased.
- Discount opportunities: If you’re responsible for organizational-wide software procurement and implementation, you’re probably in a better position to negotiate and take advantage of volume discounts. You will also want to make sure that your budget stays your budget. If software costs are being reclassified as Line of Business expenses, you could see your budget drop for the following year.
- Failed integration with business: Another source of cost is continuous migration, stemming from chosen apps no longer being fit for purpose. When a business unit procures an app, it will likely be done with just the department’s needs in mind. When done via a central buying team, it is likely to form part of a wider technological roadmap, and consideration for integration, compatibility and long-term goals will factor into the purchase decision.
- Business alignment and collaboration costs: Shadow IT can hamper productivity. If different teams are using different tools for collaboration, for instance, an instant messenger, file sharing service, or project management tool it can lead to a fragmented workplace experience.
How to embrace Shadow IT
Most of the time, Shadow IT happens as a result of well-intentioned employees trying to do their jobs. A strategic approach would be for IT teams to understand what’s driving Shadow IT? Such as a preference for certain SaaS apps or functionalities as previously mentioned.
Shadow IT is often an outcome of user experience issues. We are all now used to having technologies readily available to use with ease, so naturally, users want something faster. If your IT process is slow, their patience wears thin. Traditionally, IT has been perceived as a ‘blocker’ for adopting new technology, whether that be in terms of timelines or just saying no, forcing business units to operate in the shadows and not be forthcoming.
If IT is to become more strategic and shake off the draconian image it once held, then there is a need to work with the business, to enable them rather than unilaterally making decisions about which services are going to be implemented.
An effective way of embracing Shadow IT is to understand the cause for adoption and work out how to treat them. Taking a more investigative approach will enhance digital transformation, and will allow IT to securely breed the preferred SaaS application into the company culture and provide the best possible end-user experience.
Find out more about Jamf's latest security offerings to help tackle the issue of Shadow IT in your organization.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.