As CISOs continue to grapple with the enduring risks posed by Shadow IT, the emergence of AI generative technology and new stringent regulations have added urgency to the need for IT departments to prioritise the monitoring and governance of SaaS applications.
Shadow IT is not a recent issue. However, IT departments are generally only aware of a third of the SaaS applications in use, as highlighted in the Gartner Market Guide 2022. This lack of knowledge poses significant risks and challenges within an organisation. Gartner's projections indicate that those who fail to establish centralised visibility and effectively manage SaaS lifecycles could face at least a 25% overspend on SaaS by 2027, as well as a five-fold increase in exposure to cyber risks and potential data loss.
The risks stemming from using SaaS applications vary from security and compliance concerns to financial implications, as well as operational and efficiency challenges.
Security Risks
Shadow IT poses severe security threats as these unapproved applications operate beyond organisational security measures, making them targets for cyberattacks and data breaches. Randori’s State of Attack Surface Management 2022 report reveals that nearly 70% of organisations have been compromised by shadow IT in the past year because of a lack of visibility over their IT assets by the IT department. Additionally, IBM’s 2022 findings show that 45% of companies suffered cloud-based data breaches, costing an average of $4.35 million.
Compliance Concerns
Shadow IT exposes organisations to compliance risks since these applications often evade scrutiny. Regulations like GDPR and industry standards like HIPAA and DORA necessitate meticulous compliance, especially for large enterprises subject to rigorous oversight. In a recent example, in August 2023, the Commodity Futures Trading Commission issued orders for four financial institutions to pay $260 million for the use of non-approved methods of communication (WhatsApp, Signal…) to engage in business-related communications, in violation of firm policy.
Financial Implications
Apart from compliance fines and data breach costs, unknown applications can lead to overspending on unused IT resources. According to Gartner, companies will overspend $750 million on unused features of IT software this year alone. This complicates IT budget management, particularly in larger enterprises where 30-40% surge in SaaS usage. It has become urgent for organisations to assess the risk associated with their use and implement appropriate security measures.
Lack of operational efficiency
Shadow IT can impact the IS and bring unexpected challenges for IT teams, due to its total lack of planning and good IT practice. This forces the technical team to provide unanticipated support, including setting up workflow configurations, identifying risks, managing data, and so on. All tasks that could have been avoided with prior consultation. This results in diverting end-users and IT teams from their core tasks as well as frustration and tensions between teams: BUs blame IT for not providing the necessary tools and visibility, while IT points fingers at the business for not adhering to established guidelines and protocols. It becomes crucial for IT departments to address those risks and educate BUs more effectively, as they operate in an increasingly complex and regulated environment, particularly in the European market, due to stricter regulations.
The IT landscape has changed radically over the past few years. The new tech-savvy generations have made SaaS applications an intrinsic part of working habits. At the same time, shadow IT has taken hold in organisations, with dangers that can have far-reaching consequences for organisations.
However, it would be counter-productive to prevent the use of these applications in order to control the spread of Shadow IT. IT leaders are faced with a very complex challenge: striking a balance between robust IT governance and meeting the autonomy needs of business users. To achieve this, IT teams need to establish a governance framework that maximises the full potential of this technology while minimising risks.