Shadow SaaS subscriptions: a management risk that grows quietly
Employees connect cloud services without telling IT. I look at why this has become a systemic problem and how to manage it.
Three years ago, connecting a new service at a company meant going to the IT department, getting approval, waiting for installation. Slow, but controlled. Today an employee can sign up for a new cloud service, pay with the company card, and start working in fifteen minutes - without telling anyone.
Convenient for the employee. A systemic risk for the company.
What is actually happening
Analysts estimate the real number of cloud services used in mid-sized and large companies exceeds the officially registered number by several times. Some of this is full shadow IT: Dropbox for file sharing, Trello for task management, various communication tools, password storage services, marketing platforms.
The problem is not that these tools are bad. Many are good. The problem is that they are used without understanding what data goes into them, under what terms it is stored, what happens when an employee leaves, and what will happen if the service changes its terms or shuts down.
Three real risks
First - data leakage. An employee uploads a customer list to a cloud service for convenience. The service stores data on servers in an unknown jurisdiction with an unknown security policy. If a breach occurs, the company is responsible - but had no idea the data was there.
Second - dependency without an exit plan. A team builds processes around an unofficial tool. A year later the tool changes its pricing or closes. Data is locked in, processes are disrupted, and it all surfaces unexpectedly.
Third - the gap when someone leaves. A person using a shadow service moves on. Access to the account is tied to their personal email. The data produced for the company technically belongs to their account. This scenario plays out regularly.
Why bans do not work
The standard IT response is to prohibit. But a ban without an alternative does not solve the problem: employees will use tools that help them work, regardless of policy. They will just be more careful about hiding it.
The practical approach is different: understand what tasks employees are solving through shadow tools, and offer legitimate alternatives. Sometimes it turns out that people use Dropbox because the official file server is inconvenient or slow. That is an IT problem, not a discipline problem.
What to do now
Start with an inventory, not restrictions. A few practical steps:
- Review corporate card transactions - subscriptions to cloud services are visible there.
- Ask department heads which tools their teams use beyond the official ones.
- Assess what data is processed in these tools - customer data, financial, personal.
- For each service found, make a conscious decision: legitimise with controls, replace with an official alternative, or prohibit with an explanation.
Shadow IT will not disappear - it is a natural consequence of business tools evolving faster than corporate policies. But managed shadow IT is significantly less risky than unknown shadow IT.