BlogNewsResourcesWebinarsGlossary

Understanding the Nuances of Shadow IT and How it Impacts your Cyber Security Strategy

Jul 25, 2024

Jul 25, 2024

blue polygon icon

Explore the intricacies of shadow IT and what you can learn from employee behaviors, as it just might change your cyber security strategy.

Link to Linkedin
Link to Linkedin
Link to Linkedin
Sarah W. Frazier
Understanding the Nuances of Shadow IT and How it Impacts your Cyber Security Strategy
This webinar will cover:

“Shadow IT” is more than a buzzword and isn't just about employees going rogue; shadow IT also points to unmet employee tech needs and perceived bottlenecks in corporate protocols. However, even more concerning is that shadow IT quietly expands your attack surface, undermines regulatory compliance, and results in fragmented and inefficient IT operations. The real danger isn't just in what you don't see—it's in what you think you understand but actually don't.  

In this article, we’ll dive into the intricacies of shadow IT and what you can learn from your employee behaviors—as it just might change your cyber security strategy.

What Shadow IT is

The term “shadow IT” refers to unknown assets used within an organization for business purposes. These assets, unaccounted for in asset management and not aligned with corporate IT processes or policies, pose significant risks. If left unmanaged, shadow IT can introduce new vulnerabilities in your attack surface, lead to the exfiltration of sensitive data, or spread malware throughout the organization.

Shadow IT is not just about unauthorized devices; it also includes SaaS applications and cloud technologies that slip under the radar, AKA “shadow SaaS.” And since SaaS technology is easily accessible and anyone can start a subscription, shadow SaaS continues to grow year-over-year.  Common examples of shadow SaaS include:  

  • Unapproved messaging or video conferencing services. As an example, your corporate-sanctioned tool is Microsoft Teams, but an employee initiates a Zoom subscription instead.  
  • External cloud storage services, such as Dropbox and Box, allow employees to share files or park materials they need to work from home on unauthorized devices.  
  • GenAI tools for copywriting, spellchecking documents, and checking code for errors—all of which could be gathering corporate information.  
  • Unmanaged cloud tenancies and repositories, created and used by developers as testing environments or for conveniently storing code.
  • Project management tools, used in absence of an existing solution or as an alternative to corporate applications.  

Though you may have a mature and comprehensive cyber security program, the reality is all organizations have some level of shadow IT. “Most organizations are surprised at how much shadow SaaS they actually have,” noted Lior Yaari, CEO of Grip. “From the diverse set of enterprises we work with, it’s not uncommon for Grip to uncover 8-10x more SaaS accounts than they were aware of.”

“Most organizations are surprised at how much shadow SaaS they actually have.”

The most dangerous aspect of shadow IT is the unknown, and whether these accounts are risky and you should be concerned about them—or not. For this reason, we refer to shadow IT and shadow SaaS as unmanaged risks. Because you don’t know anything about the SaaS subscriptions started by employees independently, it’s impossible to maintain a comprehensive inventory of assets (often necessary for compliance), ensure the proper security controls are in place (also needed for many compliance standards), let alone identify and mitigate the hidden threats to your organization.

What Shadow IT isn't

Shadow IT is rarely the result of malicious intent. More often than not, it's driven by employees struggling to use sanctioned tools or corporate processes to complete specific tasks. When official channels don't meet their needs, employees seek out their own solutions to get their work done.  

Some common reasons that lead to shadow IT include:

  • Insufficient storage space: Employees might turn to external storage solutions when corporate storage is limited, or employees don’t have private file storage options within the corporate network.
  • Data sharing restrictions: When employees need to share large files with third parties and corporate tools don't support this or require excessive reviews, they may seek out unauthorized alternatives.
  • Lack of access to necessary services or tools: For example, developers may need specific tools that aren't provided by the organization. Similarly, sales needs an easy video messaging tool for prospecting.
  • Ineffective SaaS request processes: When the process for requesting assets or services through corporate systems is slow or cumbersome, employees bypass it altogether.
  • Insufficient functionality of approved tools: Sometimes, the tools provided don't offer the features employees need to do their jobs effectively.
  • Personal preference: Employees may simply prefer certain tools they are familiar with or find more efficient. In the 2024 Martech Composability Survey  by Chiefmartec and Martech Tribe, 83% of respondents admitted that they chose an alternate app for some of their use cases even though the feature was available in their primary (sanctioned) platform. Their reasons ranged from better functionality to an enhanced user interface, easier governance and control, and less expensive vs. upgrading to a higher tier on the corporate-sanctioned application.

Besides being security experts and watchdogs for the company, SecOps and IT teams must also understand the drivers behind non-compliant staff behaviors. Productivity goals fuel shadow IT, and employees often do not realize that using personal devices or unapproved SaaS tools can introduce security risks to the organization. Thus, it’s to your advantage if you understand employee motivations (and frustrations) so that you can better address the root causes of shadow IT and work towards more secure and efficient solutions.

83% of users choose an alternate app even though the feature is available in their primary (sanctioned) platform.

Learning from Employee Behavior and Shadow IT Adoption

While shadow IT poses risks to the data you’re trying to secure, it also provides valuable insights into your organization's needs and gaps. Employees resorting to unsecured workarounds to get their jobs done signal that existing policies and tools may need improvement. Security teams should focus on identifying where shadow IT exists and addressing the underlying needs driving its use. The goal is to bring these practices above board without blame. Punishing employees for using shadow IT will only push the behavior further underground, increasing your risks.

Adjustments to Your Security Protocols

DO: Implement an efficient and user-friendly process for addressing employee requests. This process should be as prompt and responsive as possible. Employees who feel their needs are met quickly are less likely to turn to unsanctioned solutions.

DON’T: Impose strict lockdowns on enterprise IT, such as blocking external collaboration tools or not providing an instant messaging platform. Anticipating and meeting user needs can prevent the emergence of shadow IT.

DO: Involve stakeholders in the SaaS review process. Functional teams are in the best position to advise on the tools they need, and managers can assist with employees who refuse to comply with your established policies.

DON’T: Blame or punish employees for engaging in shadow IT. A positive security culture encourages open communication about issues, including where current policies fall short. Employees are more likely to report shadow IT and ask questions if they trust they won’t be reprimanded.  

DO: Look at ways to leverage technology, especially in the shadow IT discovery process. If you are relying solely on employees to report their SaaS, expect gaps.  

“Many enterprises have cutting-edge services and products that they are bringing to market, yet they use spreadsheets to log and track SaaS usage internally. What usually happens is the process falls apart quickly, as it’s cumbersome to maintain, not to mention inaccurate, because it relies on humans to report (or discover) SaaS in use. There are too many other things going on for an employee to be concerned about, not ‘did I report that app?’” remarked Lior.

Accounting for the Human Factor

Despite your best efforts, employees will inevitably access web-based tools, start trial subscriptions, and download new SaaS applications without authorization. While you can't always control their actions, you can manage their access.  

Because the acquisition of SaaS has shifted to a decentralized model across various business units, it's crucial to maintain a centralized approach to SaaS risk management. And what is the one constant in an ever-changing SaaS landscape? Identity.

Using identity as the central control point enables organizations to secure all SaaS applications and uncover shadow SaaS effectively—even when employees forget to report the tools they are using. Additionally, an identity AKA “user-focused” strategy puts IT back in control by providing visibility over your SaaS environment so that you can identify and prioritize which apps need to be moved to SSO or require MFA. Finally, using identity as your control point mitigates the risks of shadow IT, empowering your workforce to embrace the benefits of SaaS without compromising security.

Gauging your Cyber Security Risks from Shadow IT

Shadow IT is prevalent in nearly every organization, highlighting the unmanaged risks that often fly below corporate radars and sabotage even the best cyber security strategies. Simply put, an organization cannot adequately assess or mitigate potential security threats without visibility into shadow accounts.  

Understanding and managing shadow IT risks begins with a thorough inventory of all digital assets; traditional approaches, like network or endpoint control tools, are incomplete, often missing the SaaS that is not connected to your IdP. A comprehensive approach is not just a compliance necessity but a fundamental step in uncovering and addressing your hidden vulnerabilities.  

To help you gain better control over your SaaS environment and uncover the shadow IT lurking within your organization, Grip offers a free shadow SaaS assessment. This assessment will provide valuable insights into your current SaaS usage and actionable steps to help you mitigate the risks associated with unmanaged and unauthorized applications. Take the first step towards a more secure and compliant SaaS landscape; schedule your assessment now.

FAQs about Shadow IT and Cyber Security Strategy

What is shadow IT and why is it a concern for businesses?

Shadow IT refers to the use of IT systems, devices, software, applications, and services without IT department knowledge or approval. Shadow IT is a concern because it can lead to security vulnerabilities, compliance issues, and fragmented IT management, increasing the risk of data breaches.

How can organizations detect and manage shadow SaaS effectively?

The first step is identifying the level of shadow SaaS that exists in your organization. Grip offers a free shadow SaaS assessment to get you started. Once you know your shadow SaaS and rogue accounts, prioritize the riskiest ones and begin remediating your risks. This is where technology can help—Grip SSCP streamlines this process and enables teams to secure SaaS, which would be too time-consuming or otherwise impossible to do manually. Related: 5 Steps to Detect and Control Shadow IT

How does shadow SaaS impact an organization's cyber security strategy?

Shadow SaaS significantly impacts an organization's cyber security strategy from the blind spots it creates. This lack of visibility makes it difficult to protect against threats, ensure regulatory compliance, and leaves back doors open for bad actors to compromise weak passwords or abandoned accounts.  

How much shadow SaaS does an organization have on average?

The level of shadow SaaS varies for every organization, but according to Grip data, it’s not uncommon for 80-90% of applications to be unknown and unmanaged. To discover the level of shadow SaaS that exists in your organization, schedule a free shadow SaaS assessment.

In this webinar:
See More
See more
Fill out the form and watch webinar
Oops! Something went wrong while submitting the form.
Register now and save your seat!
Registration successful!
Webinar link will be sent to your email soon
Oops! Something went wrong while submitting the form.
In this webinar:
See More
See more

See Grip, the leading SaaS discovery tool, live.

Gain a complete view of your SaaS usage—including shadow SaaS and rogue cloud accounts—from an identity-centric viewpoint. See how Grip can improve the security of your enterprise.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.