Direct purchasing of SaaS applications and other non-approved software by employees is making it impossible to protect some organizational data, according to almost half of all executives surveyed in a recent poll.
The IBM/Forbes report also revealed that 60 percent of organizations exclude this problem—known as shadow IT—from their cybersecurity assessments. Unfortunately, the implications of this problem can be quite disastrous, including everything from data loss risks to unaccounted for spending.
What is shadow IT?
Shadow IT is the use of unauthorized or non-standard information technology solutions in organizations. Because software is so easy for anyone to acquire, employees can easily buy and use hardware and SaaS applications without notifying IT or obtaining budget approval.
What are the risks of shadow IT?
1. No oversight into spend
This is a big headache for finance teams and IT managers alike. Without accurate knowledge of IT spending, your finance team can’t brief the executive team with a full picture so they can make important decisions about IT resourcing. And as every modern business leader knows, IT touches every part of the business. When it’s not in good shape, this can create cascading problems across other departments.
2. IT redundancies and security risks
Shadow IT users may source new applications that overlap with existing solutions in your environment that IT has approved. Not only does this create redundancies across your cloud-first environment, but IBM reports that 46% of IT leaders believe that the purchase of unsanctioned software “makes it impossible to protect all their organization’s data”.
3. Data silos
Data needs to be a team sport. If your key people don’t have access to the same data about your operations, performance, and service levels then how can you make the right decisions together as a team? Data silos are one of the most pernicious outcomes of shadow IT, because they grow over time and can become harder and harder to cut back once they do.
4. Stranded financial data
Disorganized and disparate data is not just an in-house problem. As reported in CIO Magazine, shadow IT creates confusion across financial reporting systems, which puts your organization at risk for additional audit fees and SOX violations.
What causes shadow IT?
Employees tend to engage in shadow IT so that they can bypass the often slow and bureaucratic security policies created and enacted by the company's IT department. But there are myriad causes of shadow IT, which can include:
1. Internal frustration with IT services
Many employees turn to shadow IT out of frustration. This can happen when:
- An IT department is too slow to respond to service requests
- An IT department is hindered by legacy software that doesn't have the needed functionality
- An IT department isn’t providing modern solutions to the problems
2. The business or finance team has not set a clear IT expense policy
Many companies will have a budget set aside for software that fits the needs of each department. Unfortunately, some businesses lack an open policy that regulates how employees purchase and use devices and third-party apps. Others may have policies that are too strict, where they restrict access to useful solutions. This can bury the IT and accounting department in requests, approvals, and busywork. Along with these points, if there is oversight in creating an expense policy for IT, the following can happen:
- Budgets get misused since there aren’t clear policies established.
- Businesses can face a surge in unapproved software
- IT becomes consumerized in a way that makes shadow IT more attractive to employees.
3. Sign-offs and reimbursement are chaotic
Chaotic expense policies and reimbursement policies can be just as problematic as non-existent ones. If it’s too hard for a self-starting employee to get approval for a useful solution, then they’re going to take matters into their own hands. This can create a big issue for finance teams, where shadow IT casts an ever-growing darkness over expenditure that just can’t be seen until it reaches a crisis point.
4. Finance lacks control over IT spending
When employees are unsure if there are funds to pay for a new computer or other necessary expenses, employees will look for other options— and this can lead to maverick spend. Without a solid expense policy, or dedicated spend management solutions, staff have no idea if security devices or software applications are approved.
Examples of shadow IT
A common example of shadow IT is when employees buy devices or software for work that are not approved by the company expenses policy. Other examples of shadow IT include the unapproved purchases of:
- Physical devices such as flash drives
- Personal messaging apps on work devices
- Productivity apps like Asana and other cloud-based services
Shadow IT increases the risk of sensitive commercial data getting into the wrong hands, either through information-gathering activities in the background of apps, or through the obtaining of information by unauthorized employees within a network. Shadow IT represents a problem for all departments and should be tackled through proactive policy and practice-setting led by both the finance and IT departments.
How to reduce shadow IT and control spend in 5 steps
The good news is you can get shadow IT under control. And with more of your employees working from home and looking to find new ways to drive projects forward and maintain their productivity, it's more important than ever to address shadow IT early.
Step 1: Educate your employees about shadow IT
Shadow IT is a problem that can only be solved by employee education and awareness. Tell your teams about the risks associated with shadow IT by training them on security best practices. You can also:
- Ask employees to disclose the external solutions they are using to handle company data
- Task IT with establishing security protocols for the use of these applications
- Continuously monitor the use of these resources across the organization
Education will be far more effective than criticism, because after all, shadow IT users have genuine motivations. They just want to get their work done faster and more efficiently.
Step 2: Implement spend management automation
Left unchecked, shadow IT can be a tough process to wind back. Without digital spend management and oversight, it's practically impossible. Armed with the right software program, IT departments and finance teams can dramatically cut instances of shadow IT, by automating expense approvals and reporting.
Step 3: Set category spending limits in IT
Guardrails on IT spending can help too. For example:
- Give your employees the guardrails to buy and use only the very best tools for the job
- Restrict card spending to certain merchants or SaaS companies
- Cap purchase volumes in categories like SaaS, computer hardware, and apps
And don’t worry. Setting category spending limits is not about putting a brake on employee productivity or problem-solving. It’s about ensuring the right resources are used by the right people.
Step 4: Automate IT expense reconciliation
Expense reports take forever and are prone to errors. This is why instant reconciliation is a must-have, especially if it’s able to automatically collect, match, and categorize paper receipts in real-time.
Step 5: Transform IT reimbursement
Paying employees back for business-related expenses has always been a slow and cumbersome process. In fact, it’s one of the main drivers of shadow IT. Often, employees would rather power ahead, buy what they think they need, and ask for forgiveness or permission after the fact.
But now, you can streamline reimbursements by giving employees corporate cards like Ramp that are easy to customize with category limits, spending limits, and merchant limits too.
Bringing shadow IT into the light
When employees use software your IT department isn't aware of, it opens your business up to security risks and opens you up to zombie spend. Anyone who tells you that shadow IT is an easy problem to solve is not giving you the full picture.
While it can’t be eliminated, it can be radically reduced. You can educate staff, trust them and then verify their commitment by monitoring the expense reports and corporate credit cards given to anyone in the organization. Years ago, that would be a mammoth task. Today, modern spend management tools like Ramp have made shadow IT a far more manageable threat.
Are you ready to reduce the risks of shadow IT with better spend management? Get started with Ramp today.