Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Shadow IT, SaaS Pose Security Liability for Enterprises

Software written or acquired outside of IT's purview is software that IT can't evaluate for security or compliance.

Eldar Tuvey, CEO, Vertice

April 21, 2023

4 Min Read
Photo of the shadow of a hand appearing to reach for the handle of an old wooden door
Source: jozef sedmak via Alamy Stock Photo

There's no denying that software-as-a-service (SaaS) has entered its golden age. Software tools have now become essential to modern business operations and continuity. However, not enough organizations have implemented the proper procurement processes to ensure they're protecting themselves from potential data breaches and reputational harm.

A critical component contributing to concerns around SaaS management is the rising trend of shadow IT, which is when employees download and use software tools without notifying their internal IT teams. A recent study shows that 77% of IT professionals believe that shadow IT is becoming a major concern in 2023, with more than 65% saying their SaaS tools aren't being approved. On top of the obvious concerns around overspending and the disruptions to operational efficiency, organizations are beginning to struggle with maintaining security as their SaaS usage continues to sprawl.

Unfortunately, ignoring shadow IT is no longer an option for many organizations. Data breaches and other security attacks are costing businesses $4.5 million on average, with many of them taking place due to an expanding software landscape. To combat shadow IT and the high risks that come along with it, organizations must gain greater visibility over their SaaS stacks and institute an effective procurement process when bringing on new software solutions.

Why Is Shadow IT Such a Liability?

All issues surrounding shadow IT can be traced back to an organization's lack of visibility. An unmanaged software stack gives IT teams zero insight into how sensitive company information is being used and distributed. Since these tools are not vetted properly and are left unmonitored, the data they store is not adequately protected by most organizations.

This creates the perfect framework for hackers to easily seize important data, such as confidential financial records or personal details. Critical corporate data is at risk because most, if not all, SaaS tools require corporate credentials and access to an organization's internal network. A recent survey by Adaptive Shield and CSA actually shows that in the past year alone, 63% of CISOs have reported security incidents from this type of SaaS misuse.

The Consequences of No Action

As stated prior, the recurring theme that many businesses are experiencing with shadow IT is the risk associated with a data breach. However, it is equally important to realize the potential industry scrutiny that businesses face and the penalties they receive from regulators because of sprawling shadow IT. When unapproved software is added to an organization's tech stack, it likely fails to meet compliance standards — such as the General Data Protection Regulation (GDPR), the Federal Information Security Management Act (FISMA) and the Health Insurance Portability and Accountability Act (HIPAA) — that businesses must maintain. For organizations in strict regulatory industries, the consequences of being penalized for compliance failures can cause irreparable reputation damage — a problem that cannot be fixed simply by paying the fee associated with the penalty.

On top of the costs associated with a security failure and the reputational damage a business receives, organizations are also oblivious to the wasted operational dollars spent on applications and tools. Unfortunately, it can be almost impossible for large organizations to uncover all the applications that the company never sanctioned due to complications like rogue subteams, departments self-provisioning their own software, or employees using corporate credentials to access freemium or single-seat tools.

So How Do We Fix the Shadow IT Dilemma?

The crucial first step for rectifying an organization's SaaS sprawl and ensuring that shadow IT never puts you in a compromising position is to gain visibility into the existing software stack. Without visibility, an organization will be blind to which tools are being used and won't be able to make informed decisions about centralizing its software. IT teams should focus on bringing their software portfolio's documentation up to speed and making records of application functions, software utilization, the contract/subscription length of each tool, and cost.

Once access for this information is received and properly updated, IT teams can establish which tools are essential and where changes can be made. After cleaning house, businesses can then create a centralized procurement system to ensure that all future purchases are coordinated across departments and that all security measures or compliance standards are continuously being met to prevent security breaches and regulation penalties. Having these records will help organizations easily keep track of all usage, therefore minimizing wasted costs and security failures.

The hardest obstacle for companies feeling the impact of shadow IT and overall SaaS sprawl is to recognize that you have a software management issue and come up with a solution to tackle the problem. Between economic pressure and regulatory scrutiny, organizations no longer have the luxury to ignore the growing concern of shadow IT and the types of software they use.

About the Author

Eldar Tuvey

CEO, Vertice

Eldar Tuvey is the CEO of Vertice, a SaaS purchasing platform that gives finance leaders cost control, efficiency, and flexibility with their software, where he is responsible for driving the company's strategic direction and growth. Prior to co-founding Vertice, Eldar co-founded and served as CEO of both Wandera and ScanSafe, after beginning his career at Goldman Sachs.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights