Shadow IT and Software-as-a-Service (SaaS) Sprawl Explained

These days, there's an app or a SaaS (Software-as-a-Service) for everything you might need or want in business. And in most ways, that's a great thing. SaaS in particular offers what's often an affordable, easy-to-get-started solution to almost anything you might need to get your job done, from graphic design to data aggregation and analysis.  

But those are also exactly the reasons you want to know about Shadow IT and SaaS sprawl, including what the risks are, how to uncover them, and how to manage them in your organization. 

What is Shadow IT? 

Shadow IT is the general term for any technology in use at your organization that is "outside the ownership or control of IT", whether that's your in-house IT staff or your external IT partner—or both (Gartner). Shadow IT has grown exponentially in the past decade, alongside cloud services and Software-as-a-Service (SaaS) growth. 

Your employees are typically not up to anything nefarious when they're using unauthorized tech. They often don't even realize it's an issue; they're simply trying to find and use tools (quickly) that help them execute their jobs. In fact, the most common reason you likely have Shadow IT in your business is that your employees are trying to get things done more efficiently, and self-sufficiently.  

While efficiency, self-sufficiency, collaboration, affordability, and ease are all huge benefits of SaaS services, Shadow IT opens up your small and mid-sized business to serious cybersecurity risks, including data leaks, expanded access to cybercriminal attacks, compliance violations, and more.  

If a technology is being used as Shadow IT, this means its level of security and data protection is unknown, making it a risk. For example, are employees asked to share personally identifiable information within an app? What about customer data? Are files being shared? What kind of data is being shared and stored in the Cloud? If it's sensitive, your business is being left open to data breaches, data theft, malware attacks, regulatory and compliance violations, and more cybersecurity risks. 

What Does Shadow IT Look Like in Your Business? 

Shadow IT Can Take the Form of Nearly Any Technology: 

• Hardware 
• Cloud-based Software, including Software as a Service (SaaS) 
• Off-the-shelf software, although this has grown rarer as SaaS offerings have taken off 

Hardware 

Common devices: 

• External Hard drives 
• Flash drives 
• Tablets and smartphones 

What Makes Hardware a Common Source of Shadow IT? 

Whether employees are remote, in-office, or hybrid, there's now often a co-mingling of personal devices with company-issued devices. Personal smartphones and tablets are used for work activities by everyone from salespeople to HR, especially with the rise in Bring Your Own Device policies. And it's the very nature of techs' omnipresence in our lives that has collapsed these boundaries between work and personal devices. 

But many of the applications in use on these devices track personally identifiable information. Passwords and levels of security in use on these devices may not meet your company's IT standards. And they simply represent another potential point of access to your network, financials, and protected information.  

Cloud Tools and Software, including SaaS: 

Productivity & Collaboration: 

• Microsoft Sharepoint
• Slack 
• ClickUp 
• Trello 
• Asana 

Messaging & Communications: 

• WhatsApp 
• Skype 
• Zoom 
• Microsoft Teams

Cloud Storage and File-Sharing: 

• Microsoft OneDrive
• Google Suite 
• Dropbox 

The growth of the Cloud and SaaS offerings has paired with the increase in remote work to make collaboration from anywhere possible. But this growth in SaaS use, along with the level of comfort with it, has also led to a substantial increase in Shadow IT. 

Understanding this goes back to understanding that your employees are quickly trying and installing these SaaS tools to better do their jobs and collaborate with their colleagues, partners, and vendors.  

Zoom is a perfect example. Its "freemium" model makes it free to sign up for but requires a paid subscription for calls longer than 40 minutes. It's also now ubiquitous after the pandemic and likely used within your business even if your company officially uses a different application for web meetings. Why? Often, vendors and partners use a service like Zoom for virtual meetings, and your employees sign up so they can collaborate there. You may even see a situation where multiple employees have Zoom accounts they're paying for, separately from each other and unknown to IT. 

Which brings us to one of the key risks of Shadow IT: SaaS Sprawl. 

What is SaaS Sprawl?

SaaS Sprawl is exactly what it sounds like: it's when the number of SaaS applications reaches a point where they can no longer be managed effectively. This carries a few risks: 

• Unnecessary or Redundant Spend: Take our Zoom example. If you have multiple employees signed up for the same SaaS application, separately, your business may be wasting money or losing out on buying power, as SaaS companies often offer price breaks for business seats. Let's also say that your organization has officially been paying for and using a different virtual meeting application. But your employees have been using Zoom and prefer it. This is a situation where your IT department could run an organizational analysis and help bring the entire business together onto the same SaaS platform, eliminating the other and the additional cost.

• Data Sprawl: With SaaS sprawl, you often also see data sprawl. When your organization is using many different applications that aren't all talking to each other, your data gets more difficult to manage, use, and analyze. This can make anything from accounting to forecasting, lead management, and customer service more difficult.

• Reduced Security and Compliance: Any device or application connected to your company's network represents another potential access point for a cybercriminal. 

The Opportunities in Shadow IT and SaaS Sprawl 

You want to perform a Shadow IT discovery in your business, so you can get a handle on all the different devices and applications in use and make sure they're secure. But Shadow IT isn't all bad: it also represents some opportunities.  

Coming up with a plan and process for managing Shadow IT and SaaS sprawl also opens up an opportunity to analyze your IT protocols and policies. For example, is one of the reasons you're seeing these issues because IT approval processes are too lengthy, time-consuming, or restrictive? While you want employees to follow IT policies to ensure business and data security, you also don't want IT to be getting in the way of them doing their jobs.  

This is a moment for the entire business to come together with IT, evaluate what's working and what's not, and develop policies that work for everyone

It's also a moment to analyze how your employees are using (or aren't using) devices and software and come up with a process to analyze and approve the tech tools to meet their needs, while eliminating those that are redundant or ineffective. 

How to Reduce the Risks of Shadow IT 

Is Shadow IT risky and potentially expensive? Yes and yes. Along with SaaS Sprawl, the risks of Shadow IT include data protection and loss, expanded attack surfaces, and increased costs. 

Shadow IT grows out of a lack of knowledge on both employees and IT's part. The good news is it's also illuminating, shining a light on employees' needs and the tools they value. The best approaches to reduce shadow IT risk take this into consideration, establishing policies that both protect and empower while bringing employees along through education so they view them less as restrictive and more as protective of the team and organization as a whole. 

Fortunately, you can also take control of it and reduce it by following a three-pronged approach: technology, employee education, and policy. In our Guide How to Reduce the Risks of Shadow IT, we'll walk you through exactly how to discover Shadow IT in your business and take control of it.