Direct purchasing of SaaS applications and other non-approved software by employees is making it impossible to protect some organizational data, according to almost half of all executives surveyed in a recent poll. The IBM/Forbes report also revealed that 60 percent of organizations exclude this problem—known as shadow IT—from their cybersecurity assessments. Unfortunately, the implications of this problem can be quite disastrous, including everything from data loss risks to unaccounted for spending.
What is shadow IT?
Shadow IT is the use of unauthorized or non-standard information technology solutions in organizations. It’s sometimes called rogue IT or stealth IT. Basically, shadow IT is when employees buy and use hardware, apps, and SaaS outside of their organization's IT department knowledge or approved budget.
What are the risks of shadow IT?
Businesses shouldn’t underestimate the potential negative consequences of out-of-control shadow IT. And it’s not only a problem for a company’s IT team. It’s a concern for finance leaders, too, as these risks show:
1. No oversight into spend
This is a big headache for finance teams and IT managers alike. Without accurate knowledge of IT spending, your finance team can’t brief the executive team with a full picture so they can make important decisions about IT resourcing. And as every modern business leader knows, IT touches every part of the business. When it’s not in good shape, this can create cascading problems across other departments.
2. IT redundancies
Shadow IT users may even source new applications that compete with your approved ones. This increases your businesses overall technology costs because you are, in essence, paying for duplicate tools. For example, you might end up having multiple productivity tools because the approved one was viewed so poorly by users.
3. Data silos
Data needs to be a team sport. If your key people don’t have access to the same data about your operations, performance, and service levels then how can you make the right decisions together as a team? Data silos are one of the most pernicious outcomes of shadow IT, because they grow over time and can become harder and harder to cut back once they do.
4. Stranded financial data
Troublingly, disorganized and disparate data is not just an in-house problem. It can get businesses in trouble with customers, investors, and regulators too. As reported in CIO, shadow IT can lead to huge problems, such as multiple financial systems reporting different financial results, which in turn lead to audit fees and even SOX violations, which are financial penalties for masking misleading filings.
5. Data security risks
Another big problem? Shadow IT can open companies up to data loss and data breaches. The IBM/Forbes report notes that 13 percent of organizations have lost data, faced downtime, or experienced other IT security-related problems due to incidents with a cloud-service provider. Even worse? 58 percent of these incidents were security breaches.
Data loss may occur when employees take copies of sensitive data outside their company or store data on their own devices, such as physical drives, smartphones, or laptops. They can also occur when employees are not aware of—or fail to follow—security protocols such as password authentication.
What causes shadow IT?
Employees tend to engage in shadow IT so that they can bypass the often slow and bureaucratic security policies created and enacted by the company's IT department. But there are myriad causes of shadow IT, which can include:
1. Staff are frustrated with IT services
Many employees turn to shadow IT out of frustration. This can happen when:
- An IT department is too slow to action service requests
- An IT department is hindered by legacy software that doesn't have the needed functionality
- An IT department isn’t providing modern solutions to the problems
But sometimes, the causes of shadow IT can fall on inaction by the finance team as well.
2. The business or finance team has not set a clear IT expense policy
Many companies will have a budget set aside for software that fits the needs of each department. Unfortunately, some businesses lack an open policy that regulates how employees purchase and use devices and third-party apps. Others may have policies that are too strict, where they restrict access to useful solutions. This can bury the IT and accounting department in requests, approvals, and busywork. Along with these points, if there is oversight in creating an expense policy for IT, the following can happen:
- Budgets get misused since there aren’t clear policies established.
- Businesses can face a surge in unapproved software
- IT becomes consumerized in a way that makes shadow IT more attractive to employees.
3. Sign-offs and reimbursement are chaotic
Chaotic expense policies and reimbursement policies can be just as problematic as non-existent ones. If it’s too hard for a self-starting employee to get approval for a useful solution, then they’re going to take matters into their own hands. This can create a big issue for finance teams, where shadow IT casts an ever-growing darkness over expenditure that just can’t be seen until it reaches a crisis point.
4. Finance lacks control over IT spending
When employees are unsure if there are funds to pay for a new computer or other necessary expenses, employees will look for other options— and this can lead to maverick spend. Without a solid expense policy, or dedicated spend management solutions, staff have no idea if security devices or software applications are approved.
Examples of shadow IT
A common example of shadow IT is when employees buy devices or software for work that are not approved by the company expenses policy. Other examples of shadow IT include the unapproved purchases of:
- physical devices such as flash drives
- personal messaging apps on work devices
- productivity apps like Asana
- and other cloud-based services
Shadow IT increases the risk of sensitive commercial data getting into the wrong hands, either through information-gathering activities in the background of apps, or through the obtaining of information by unauthorized employees within a network. Shadow IT represents a problem for all departments and should be tackled through proactive policy and practice-setting led by both the finance and IT departments.
How to reduce shadow IT and control spend in 5 steps
The good news is you can get shadow IT under control. And with more of your employees working from home and looking to find new ways to drive projects forward and maintain their productivity, it's more important than ever to address shadow IT early.
Step 1: Educate your employees about shadow IT
Shadow IT is a problem that can only be solved by employee education and awareness. Tell your teams about the risks associated with shadow IT by training them on security best practices. You can also:
- Ask employees to disclose the external solutions they are using to handle company data
- Task IT with establishing security protocols for the use of these applications
- Continuously monitor the use of these resources across the organization
Education will be far more effective than criticism, because after all, shadow IT users have genuine motivations. They just want to get their work done faster and more efficiently.
Step 2: Implement spend management automation
Left unchecked, shadow IT can be a tough process to wind back. Without digital spend management and oversight, it's practically impossible. Armed with the right software program, IT departments and finance teams can dramatically cut instances of shadow IT, by automating expense approvals and reporting.
Step 3: Set category spending limits in IT
Guardrails on IT spending can help too. For example:
- Give your employees the guardrails to buy and use only the very best tools for the job
- Restrict card spending to certain merchants or SaaS companies
- Cap purchase volumes in categories like SaaS, computer hardware, and apps
And don’t worry. Setting category spending limits is not about putting a brake on employee productivity or problem-solving. It’s about ensuring the right resources are used by the right people.
Step 4: Automate IT expense reconciliation
Expense reports take forever and are prone to errors. This is why instant reconciliation is a must-have, especially if it’s able to automatically collect, match, and categorize paper receipts in real-time.
Step 5: Transform IT reimbursement
Paying employees back for business-related expenses has always been a slow and cumbersome process. In fact, it’s one of the main drivers of shadow IT. Often, employees would rather power ahead, buy what they think they need, and ask for forgiveness or permission after the fact.
But now, you can streamline reimbursements by giving employees corporate cards like Ramp that are easy to customize with category limits, spending limits, and merchant limits too.
Bringing shadow IT into the light
When employees use software your IT department isn't aware of, it opens your business up to security risks and opens you up to zombie spend. Anyone who tells you that shadow IT is an easy problem to solve is not giving you the full picture.
While it can’t be eliminated, it can be radically reduced. You can educate staff, trust them and then verify their commitment by monitoring the expense reports and corporate credit cards given to anyone in the organization. Years ago, that would be a mammoth task. Today, modern spend management tools like Ramp have made shadow IT a far more manageable threat.
Are you ready to reduce the risks of shadow IT with better spend management? Get started with Ramp today.