Jul 17 2018
What Real-World Problems Does Shadow IT Create? Known Issues And Horror Stories
Alpin is now CoreSaaS.
In a recent blog post, we explored just how much of an issue shadow IT has become. The numbers do not lie. Shadow IT has permeated everywhere. But is it truly a problem in need of a solution?
In this post, you can read about real-world issues many companies can expect from shadow IT. We also share some egregious shadow IT situations we’ve encountered.
Shadow IT Issues You Could Expect At Most Companies
Data security – Access from former employees, breaches, bad permissions, etc.
How can you deprovision software you don’t know about? That’s one of many data security risks associated with shadow IT. Unknown software may also store sensitive information. And like we’ve been hearing about with Gmail, users may inadvertently grant permissions that outlive the employee.
Regulatory and customer audit compliance – SOX, GLBA, HIPAA, GDPR, etc.
Shadow IT can potentially violate regulations. Many regulations touch on data flows or storage. Storing data in unknown and potentially unvetted places may result in violations during an audit, which could result in a range of damaging regulatory consequences. Likewise, some clients may have requirements tied to these regulations and depend on you, their vendor, to maintain compliance. Violations could not only impact compliance, but client relationships and bottom-line revenue.
License compliance – When freemium or shared accounts put your contract in jeopardy
We cover some of this more detail in another post on SaaS license compliance. As users come on board, they may not know a paid or premium account is available to them for a particular app. Then they sign up for a freemium product. Some software contracts do not allow this. Nor do they allow accounts shared by multiple users (such as marketing@, accounting@, etc.). Shadow IT hides these non-compliant actions and may create problems later.
Cost overruns – It’s getting expensed rather than negotiated, over-provisioned, etc.
With such a large percentage of IT spend now being shadow IT – 30-50% depending on what study you look at – cost overruns come with the territory. This can take the form of a team expensing a solution for a product category that’s already covered by an enterprise agreement. Or perhaps employees can easily add themselves as users without authorization, leading to paying for many more licenses than anticipated.
Misallocated costs – finance and accounting need accuracy
Shadow IT, depending on how it ends up being paid, may skew reporting and create extra work. Time consuming year-end reconciliation and audit create additional soft costs from shadow IT. Avoid wasting accounting’s time or resources with redundant tasks.
Missed goals or targets – it’s someone’s job to save the company money
Purchasing departments may need to cut costs in categories or see savings realized through enterprise agreements. If they miss savings targets by department or category, it may produce unintended consequences or cost-cutting activities.
Loss of respect for IT – Perception problems from the top down
Left unchecked, how does shadow IT change the perception of IT departments or leadership? Unless there is a plan or processes in place to address shadow IT, then CIOs or other leaders could look “asleep at the wheel.” If any of the above issues become large enough to create waves within a company, there is a strong chance IT may be blamed for “letting” things get out of control.
Shadow IT Horror Stories We Wish Weren’t True – And How Alpin Helped
You don’t hear about every breach that happens or see what happens downstream as a result of breaches. Here are a few we can share, minus some of the finer details.
Security and compliance – Access to executive emails
A gaming site subscription had full access to many company email inboxes, including access to CEO and CFO inboxes and all their sensitive contents.
Solution: Alpin discovered the offending app and permissions that led to the situation, and provided the tools to solve it.
License compliance and cost overruns – Many duplicate app
At one company, many teams had their own Slack domains, and they were all unaware that a corporate Slack account existed. Costs overlapped and added up.
Similarly, another organization found not one, but five duplicate project management apps outside of IT’s purview, spread throughout the company. This created massive cost overlap and security vulnerabilities (we don’t know how much sensitive data may have been stored in the other apps.)
Solution: Alpin’s extensive discovery tools identified these otherwise hidden instances, giving IT the data and contact information needed to remedy these issues.
Security and compliance – Access to executive files
A finance director, through a cloud file storage app, was sharing a root-level folder with outside parties. That inadvertently provided access to detailed financial statements that would never be released publicly or shared. Salaries, P&L, and more were unintentionally exposed.
A team’s files, folders, and discussions were made completely public rather than internal and read-only – this made financial files and other sensitive information indexable by search engines.
Solution: Alpin’s discovery and cloud Data Loss Prevention (DLP) tools provided the information needed to pinpoint the data leakage and change the relevant settings.
Cost overruns and worse – Multiple examples of a scary lack of oversight
A large technology company’s ex-employees – up to three years gone – had access to multiple cloud apps, including the company’s CRM. Not only was this a waste of money, it put years of potentially sensitive information at risk.
An expense and approval system kept IT and procurement in the dark about cloud software purchases. A manager approved employees’ software expenses without intervention or detailed purchase audits.
Solution: Alpin discovered these mystery users and programs with tools previously unavailable to IT leadership. With knowledge in-hand, IT could address or correct these issues.
Compliance and cost concerns – it starts by finding the apps
After a recent data breach from a cloud software provider, multiple companies wanted to know if they were affected. Without Alpin, they had no way to know, for sure, if their users were exposed by the vendor’s breach. With Alpin, they got notifications about the affected app, as well as who was using it, so they could lock down their exposure.
Another company found over 3,000 SaaS apps when they expected to find a few hundred
Solution: Whether it’s general discovery or looking for a specific app, Alpin sheds light on cloud software ecosystems. Solving shadow IT problems starts with good discovery.
Surprise – careful planning and resource allocation vs. human nature
Much in the manner we described in our latest post, a small trial of a video conferencing app quickly spread department-wide, and could have spread enterprise-wide. It was an expensive solution that was not subject to negotiation or cost controls. A department head even committed IT to supporting the new application, taking IT completely by surprise.
Solution: Alpin can track down all instances of the new application to help sort out the prickly situation. In this case and others, knowledge is power. Revealing shadow IT serves a powerful tool for IT leadership.
What Can You Do? – More to Come
You may have seen our blog post covering some top things IT Management can do to wrangle shadow IT – namely, discover it and govern it.
In the next post in this series, we’ll be taking a deeper dive into what IT leadership can do in this new environment. Tentatively, we’re calling it “How IT Can Take A Leadership Role In The Era Of Shadow IT.” I’ll add the link here when it goes live.