Sep 16, 2024
Table of contents
You can’t protect or manage what you can’t see. That’s the basic premise that makes shadow IT so dangerous for organizations. Without insight into the hardware and software (including SaaS apps) that employees are using, IT teams can’t effectively manage risk. The problem with shadow IT, of course, is that many organizations don’t know how big a problem it is.
To better understand the scale of the challenge on the ground, and ways of combating it, AccessOwl spoke to IT leaders at several startups.
How big a challenge is it?
For Airtower Networks IT Manager, Derek McGee, shadow IT is a problem for virtually all organizations, “especially any company that's remote, with company credit cards that are not monitored very well.”
Shadow IT is not always done with any deliberate intent to circumvent IT. But it could create serious security and compliance blind spots. One 2023 study revealed that 11% of security incidents over the previous two years were attributable to shadow IT.
“People are well meaning. They just either don't read or don’t think it's a big deal. Or they just double click on their Google account,” argues Felix Naepels, former Head of Internal IT at Pigment. “I usually assume no ill intent with people, but the truth of the matter is, until you enforce a policy, it's going to keep happening.”
There’s also a potential cost involved, beyond security and compliance risk, says Lukasz Jaroszuk, Certified IT Manager at Kaia Health.
“I saw a team of four people, and they were using three different tools which had the exact same functionality. They just had different logos on them, but the functionality was exactly the same,” he explains. “Someone was bringing the knowledge of the tool from a previous company, and because he was able to purchase it and the company allowed it, they just went with that tool.”
Yet if organizations want to get certified for industry best-practice standards, they’ll need to get a handle on shadow IT, argues Akash Gopani, IT Ops Lead at Reveal.
“If the company's financial position is good, it probably won't really look at the spend,” he says. “But it's good to [control shadow IT], because sometimes when you go for a standard certificate — not just ISO but any operational certificate — they look at how the business operates, and how organized it is. Those things become more important as the company grows.”
Five steps to tackling shadow IT
IT practitioners AccessOwl spoke to gave the following advice:
1) Do your research
Airtower Networks’ McGee advises new leaders in IT to begin by asking their employees what IT resources they use, with something as simple as a (mandatory) Google form.
“Ask them everything — including which platforms they're using, which types of devices they're using, and what their pain points are. If they could do something different, what would they do?” he says. “That gives you a better idea of what solutions to pick out for them.”
For anything that doesn’t appear on the list, follow the money, he adds.
“I worked with the CFO and had his team check receipts for anything that was software-based — or any type of IT-branded device or solution. There was a lot of stuff that showed up on that list that people didn't mention.”
Khoi Pham, IT and Compliance Lead at Coda, agrees that documenting what’s in use is the essential first step to tackling shadow IT.
“There are certain risk appetites which determine how strict you want to be. There are processes in which you can get your finance and legal team to agree to, where they don’t pay any reimbursements related to software unless they’re approved by IT — although people can still sign up for free tools,” he explains. “There are definitely challenges to figuring this out, but it all comes down to alignment between your teams.”
2) Work with vendors
Airtower Networks’ McGee has also had success reaching out to third-party software vendors for help in reducing duplicate licenses and switching users from consumer to corporate-grade accounts.
“Now I've got things worked out with Adobe, DocuSign and Dropbox, so that every so often I'll reach out to them and have them scan their databases for our domain,” he explains. “If they see anything outside of our corporate licensing, they let me know about it.”
3) Use a ticketing system
McGee has also used a corporate ticketing system to good effect.
“In our ticketing system, I created a request form so that all purchases, even if it’s a USB drive for your computer — anything that’s software or access-based, needs to come through this ticket,” he explains.
4) Collaborate across the organization
Several IT leaders AccessOwl spoke to say they use Google and OAuth solutions to track shadow IT usage. For example, Pigment’s Naepels says, “You can see a whole list of social logins by Google to tools you haven't procured or that are free, so you can control things.”
However, collaboration with other functions, including finance and even the IT helpdesk, can also be key to success.
“I would review what apps are being signed into through our OAuth on a regular basis, and just keep an eye on things,” explains former Drivemode IT Manager, Erik Ours. “But you have to involve everybody in the company. Here’s IT, here’s finance, here’s HR, and here’s the core management team. You better be working cohesively with one another, or it's not going to work.”
TrueLayer IT Manager, Liam Williamson, also collaborates across the organization.
“We had to work with our finance department because, when I joined, anyone could sign up to any piece of software, pay for it on their credit card, and then expense that back to the company,” he explains. “So we used OAuth in Google Workspace to see what people were trying to log into and just built a glorious spreadsheet of all these different apps.”
5) Consider a password manager
“When we introduced a password manager, we found a lot of [shadow IT] tools being used by different teams,” says Kaia Health’s Jaroszuk. “We saw if there was a duplication and how we were overpaying for stuff. It's unbelievable, and it caused a ripple effect in finance.”
There’s clearly no silver bullet for solving the shadow IT challenge. But IT leaders need to better understand how different technologies — and especially SaaS apps — are used in their organization, in order to minimize security and compliance risk. Fortunately, automated solutions like AccessOwl exist to take the pain out of the process.