Shadow-IT: The monster lurking in your business

Published in

Decathlon Digital

9 min readOct 4, 2022

Let’s be honest, the minute you sign up to a new site on the internet, it’s as if you entrusted a stranger with your bag, house keys, IDs, private pictures, … and accompanied by a contract signed so that the stranger in question won’t be accountable if anything would happen to you, your loved ones, your house or your possessions.

Some candid people, like me, will say that they have nothing to hide and that some well-known companies can do whatever they please with their data as long as they’re allowed to watch Squid Game.

But does your employer share the same opinion?

The Sh-IT monster

80% of employees admitted using IT solutions without the consent of their CIO
Shadow IT (acronyms as ‘Sh-IT’) is like a monster that would take advantage of all the vulnerabilities of your Information System (IS) to break into your business. And for each new unreferenced solution that sneaks into a team, a new monster is created and colonizes nearby teams.

But since it’s generally free, why would you go without it?

For instance: I need a task management solution, I Google it and create a free account on what seems to be a great free tool. My team loves it and never misses an opportunity to recommend it to other teams.

(By the way, if you have to Google an app, the chances are you’re shadow-iting.)

In a heartbeat, we end up with solutions used by half of the employees, and everyone is convinced that they are following the rules (perhaps also because these rules are not clear or insufficiently communicated).

One of the peculiarities of Shadow IT SaaS is how deeply it crosses business sectors and affects profound governance issues.

This is not only a matter of pure IT security like cyber attacks but first and foremost a legal, financial, privacy / compliance and purchasing issue.

As a matter of fact, when the monster is growing and spreading, not only it is due to users but also due to structural dysfunctions such as lack of governance, complexity of the purchasing processes, technological watch, lack of accountability, ignorance, absence of audit and control,… and the simplicity of finding off-the-shelf solutions. .

The threats and issues

Governance

The subject is vast. If we came to this kind of situation where hundreds of applications are used without the consent of the IS, there is certainly a governance concern.

One of the main risks at the governance level is the loss of control of the IS architecture. Not many large companies are able to list (and maintain) an inventory of all approved applications used and it’s even harder to master them. but if you add the Sh-IT apps, it becomes impossible.

At Decathlon, we have experienced a period of liberalization where teammates have become responsible and autonomous. Anyone is free to launch a project without having to refer it to their entire hierarchy. This has allowed the company to accelerate its innovation DNA and go digital. But this is also what allowed Sh-IT to reach its full potential.

As a result, hundreds of new applications have grown like bacteria in a petri dish.

Since we are planning on keeping the solutions if their level of risk is not prohibitive, we will have to reinstate a frame. But who will manage these solutions? What would be the end-users reaction? Are we too late?

A common thread problem is the volume. We will have to find owners to assign responsibilities and have an accountable middle-management line. And above these responsibilities, comes numerous constraints, such as setting up on-call duty, reviewing budgets, monitoring, and so on.

Legal

The main issue:
When you signed up for some well-known and established service providers, you probably accepted the terms of use without even reading them (let’s be honest, who reads them!). We see them all the time everywhere and after a while we end up forgetting that it is a contract, to which we consent.

But is your company going to sign a contract without reading it?

We can dream of a world where no one tries to take advantage of the other and where terms and conditions (T&C) are fair, understandable, clear enough even if you’re not a lawyer (…) but this is not the case.

So we will not dissect the T&C of each solution here, but here are 5 examples that can be found in 90% of the conditions of use:

There, stop reading the rest of the conditions because the publisher can unilaterally modify them at any time.

A free service can become chargeable, your data hosted in Europe can go to another country or you can commit to selling a kidney or your grandmother.

To go further: https://www.aglaw.us/janzenaglaw/2019/7/15/saas-providers-stop-changing-the-terms-of-the-deal

The person who accepts the conditions engages the responsibility of the company. I don’t know about you, but I’m not supposed to sign anything (I just have the right to write articles).

Here they can stop the service at any time. No need to explain further. Let’s just hope you have a plan B.

The publisher can do whatever they want with your data. EVERYTHING.

No responsibility is taken by the publisher. Your data can be erased or compromised, it’s not their problem. Remember that 400-page report you’ve been working on for months?

No need to say, there is a significant risk.

The other main issues :
We saw earlier that we could not use the conditions of the software publishers. So ideally, there should be a negotiated contract behind each solution.

But if we assume that we are going to find 300 Sh-IT applications, there is a good chance that we will have to proofread or negotiate most of the Terms and Conditions and this will generate a substantial burden and massive work for lawyers.

But the number of solutions is not the only pitfall. Let’s say we deploy a task force of lawyers on these 300 applications, we will not be able to have a contract on each one of them, mainly due to a lack of license volume.

So we’re still going to live with these abusive terms of use.

Ultimately, we can accept the risks as long as we know about them. But if you remember the first example, the conditions can be changed at any time. So how do you monitor these risks?

Purchase

The purchasing risks are rather localized on the suppliers. Usually, we try to figure out the financial health of our suppliers to be sure that they do not let us down along the way. Suffice to say that it’s not done for Sh-IT apps. So there’s an additional risk of no longer having access to a solution if its publisher files for bankruptcy.

We shouldn’t put all our eggs in the same basket, but the more suppliers we have, the more the risks multiply. 500 software publishers mean as many hosting, contracts, potential economic dependencies, … and at the end increase a company’s risk level.

And once again, we have a volume problem. We don’t have enough buyers to handle the first flow, so we’ll have to find a way to prioritize. Not to mention that many solutions cost only a few hundred or thousand euros and software publishers do not seek negotiation for so little.

A final problem is that software software publishers don’t always have the structures to handle negotiations, this requires a team of negotiators and lawyers and some of them choose to only start negotiations for prohibitive amounts.

Personal data

We are not going to dwell on the volume of solutions to be analyzed: many solutions -> not enough resources -> no risk control.

But here too, if that was just the only problem, we could find a solution.

In Europe, we are very focused on the GDPR. We must host our data in Europe, have the list of all data processing, offer the right to oblivion, … We have all these rules to follow and everyone strives to respect them as best as possible. But Decathlon is a multinational, so what about regulations in other countries?

CCPA in the USA, LGPD in Brazil, POPIA in South Africa, PIPEDA in Canada, Russia, China, Turkey: the majority of countries have their own regulations.

Do we comply with all of these regulations?

Which entities must carry out the controls: the headquarters or the countries?

If no common regulations are created, will we have to find a way to host user data in each country for each solution?

Security

It is relatively easy to manage the risks of a home made or on-prem solution hosted by our company. You can master hosting, security updates, back-ups, monitoring, …

SaaS solutions are so easy to use and free up resources that don’t have to deal with infrastructure, but the downside is having little to no control over supplier infrastructure.

Gartner estimated that one-third of successful attacks on businesses would come from shadow IT resources.

Indeed, if the IS is not aware of the use of a solution, it is impossible to secure it. And it is this lack of control that will increase the area that hackers can reach.

It is also difficult to control access to Sh-IT solutions, particularly for employees who have left the company or who do not have access rights to certain information.

Likewise, there is no control over back ups and no DRP. In either case, important data can leak or be destroyed.

Finance

In finance, it’s all about forecasting. This is why we make budgets.

What if you have a specific budget for the month but your kid uses your bank card to buy credits for video games?

Well, it’s the same with shadow IT.

Expense reports are made for tens, hundreds of thousands of euros, for expenses that were never budgeted for. And a poorly controlled budget rarely pleases shareholders or investors.

More and more we find ourselves in situations where software publishers will only agree to negotiate their rates and / or contracts if you subscribe to the most expensive plan. So to ensure the security of the IS with a contract, you sometimes have to triple the price.

Conclusion

We are in a situation where habits change before processes and where IT departments are no longer all powerful to dictate a course of action. Sh-IT affects every department, every team, whether in stores or services. This is a subject that is likely to be of paramount importance in the years to come and it becomes urgent to nip the problem in the bud.

This article was deliberately focused on the risks and issues of shadow IT in general, but a future article will be dedicated to what solutions Decathlon seeks to implement.

Sources :