From reducing risk to optimizing efficiency, your organization has many compelling reasons to enforce policies and procedures. But what happens when a policy hinders productivity more than it helps, causing employees to skirt the rules?
For IT departments, this ever-present dilemma is called shadow IT. As cybersecurity risks rise in 2024, it’s more relevant than ever. And yet, in Auvik’s IT trends report, only 1 in 4 respondents listed shadow IT visibility as a high priority for the year ahead.
Before we get into our list of shadow IT statistics, let’s review the basics.
What is shadow IT?
Shadow IT refers to the use of information technology systems, devices, software, and services without explicit approval from the IT department. But shadow IT isn’t necessarily malicious behavior. Often, it’s born from a need for convenience or customization.
When employees don’t have access to the tools and technologies they prefer to be productive, they find loopholes. Whether this behavior is intentional or not, it plays a significant role in how organizations manage data security, compliance, and overall governance of their IT resources.
In this article, we present 50 eye-opening shadow IT statistics, providing insight into its prevalence and risk both now and in the future. With these facts, you’ll be equipped to educate stakeholders and secure support from business and IT leaders for managing shadow IT risks in 2024 and beyond.
What’s your shadow IT risk factor?
Find out in this free quiz and guide.
IT departments are unaware of one third of SaaS apps
A 2021 report by BetterCloud revealed that the number of SaaS applications running on corporate networks was roughly three times the number IT departments were aware of.
30 to 40% of IT spending is shadow IT
In large enterprises, Gartner has found that shadow IT accounts for 30 to 40% of IT spending. Another report by Everest Group found it to equate to more than 50%.
41% of employees use technology IT can’t see
A staggering 41% of employees are acquiring, modifying, or creating technology that IT isn’t privy to. Gartner expects this number to increase to 75% by 2027.
57% of SMBs are experiencing high-impact shadow IT
Of that group, 85% have a team using high-impact shadow IT in the business right now, such as developing and deploying a new customer database outside the official IT environment.
68% of organizations have exposed shadow APIs
Undocumented third-party application programming interfaces (APIs) affect up to 68% of organizations according to a 2022 report by Cequence Security.
31% of malicious requests target unmanaged APIs
A 2022 report found that 31% of 16.7 billion malicious requests observed in a study targeted unknown, unmanaged, or unprotected APIs.
76% of SMBs say shadow IT threatens security
A 2023 study by Capterra found that more than three-quarters of small and medium-sized businesses believe shadow IT is a moderate to severe cybersecurity threat.
Business technologists are 1.8 times more likely to be a security threat
Employees who create and bring in new technologies are nearly twice as likely to take unsecure actions across all of their workplace activities.
69% of employees bypass cybersecurity guidance
Over two-thirds of employees know when they are breaking the rules but do so anyway. A 2023 Gartner study revealed that 69% of employees had intentionally bypassed cybersecurity within the year.
Trained employees are 2.5 times more likely to avoid cyber risk
According to Gartner, employees that have been trained on technology-related activities are 2.5 times more likely to avoid introducing cyber risk to the business, without slowing down the pace of work.
70% of employees that use ChatGPT hide it from employers
Despite the risk of sharing enterprise data across third-party applications, 7 in 10 workers who use AI tools like ChatGPT are doing so without consent from the organization. Not only that, in our own research, we found 67% of ChatGPT logins are from personal accounts.
31% of workers still have access to previous employers’ SaaS tools
Research has found that large companies have an average of 5.5 million assets stored in SaaS applications. The shocking part is that nearly a third of previous employees still have access to those tools.
91% of IT pros feel pressured to compromise security
With pressure to both tighten security and create shortcuts that enable innovation, 91% of IT professionals feel they’re in a no-win situation where they have to compromise one for the other.
86% of IT pros want automated SaaS management
A 2023 survey revealed that while 86% of IT professionals believe automation is essential to managing SaaS operations, 64% lack the visibility and insight to do so effectively.
59% of IT pros find it difficult to manage SaaS sprawl
SaaS sprawl is difficult to manage according to 59% of IT professionals. But that comes as no surprise considering 65% of unsanctioned SaaS apps are adopted without their approval.
57% of IT pros are taking on more SaaS apps to manage
In an attempt to gain better control of shadow IT, 57% of IT professionals have increased the number of SaaS apps that are managed and supported by IT in the last 12 months.
The average data breach costs a company $4.45M
In IBM’s 2023 report, the average cost of a data breach rose to $4.45M. This represents a 15% increase over the past three years, highlighting the significance of cybersecurity programs.
82% of data breaches involved cloud-stored data
In 2023, 82% of security breaches involved data stored in the cloud. This stat highlights a need to implement controls as data moves across clouds, databases, SaaS apps, and services.
50% of CISOs will opt for human-centric cybersecurity practices
Through 2027, 50% of CISOs plan to weave human-centric design practices into their cybersecurity programs. These practices are modeled after people as the focus of control design, rather than technology. The hope here is to create a model that reduces friction.
90% of employees use unsecure practices despite risk awareness
Of the employees surveyed in 2023 that admitted to taking unsecure actions at work, 90% knew their actions were risky to the organization but decided to continue regardless.
10% of enterprises will adopt zero-trust programs by 2026
By 2026, 10% of large enterprises will adopt zero trust, a security model that assumes that all individuals, devices, and services both inside and outside a company’s network cannot be automatically trusted. This is up from less than 1% in 2023.
39% of marketers see inefficiency from redundant apps
Capterra estimates that companies are spending an average of $43,500 annually on SaaS apps that are unknowingly going unused by the organization.
Only 26% believe their IT teams cancel unused software
In the same Capterra study, only 26% of marketers say their company formally canceled payments with software providers, even after they’d decided to remove the app. This indicates a strong need for more clear processes around SaaS.
84% say their companies conduct regular software audits
The majority (84%) of marketers surveyed believe their company performs regular software audits. That number rises to 88% for those with IT departments (88%).
55% of companies have experienced a SaaS security incident
Within the past two years, over half of security executives say their organization has dealt with a SaaS-related security incident. Clearly there is a need for better visibility into applications.
What’s your shadow IT risk factor?
Find out in this free quiz and guide.
58% of CISOs estimate their SaaS security isn’t up to par
A recent survey finds that 58% of security executives estimate their current SaaS security solutions are only accounting for 50% or less of the organization’s SaaS applications.
71% of companies are investing more in SaaS security
In 2023, two-thirds of companies planned to increase their investment in apps. A subsequent 71% investing more into SaaS security posture management solutions and tools.
58% of SaaS security-related incidents resulted in data leakage
The other most prevalent SaaS security incidents involved malicious apps (47%), data breaches (41%), and SaaS ransomware (40%). This highlights the need for greater SaaS security.
37% of companies don’t have clear consequences for shadow IT
A survey of IT professionals revealed that 37% of them believe their organization doesn’t have clarity on the consequences for employees who violate IT policies and use unapproved apps.
77% of IT pros believe shadow IT is a major concern
Those same IT professionals believe their company could gain a competitive advantage if leaders were more collaborative about finding shadow IT solutions.
97% of IT pros believe employees are more productive with preferred technologies
Shadow IT has its benefits, too. The majority of IT professionals believe that productivity soars when people are empowered to use the technologies they prefer.
39% of young employees are unaware of security policies
A 2021 survey by HP revealed that 39% of surveyed office workers aged 18 to 24 were unsure of their organization’s data security policies. Of the same group, 54% believed meeting deadlines was more important than exposing the business to risk.
48% of young employees believe cybersecurity is a hindrance
In the same survey, nearly half of those surveyed believed that security policies were a hindrance to productivity, with 37% stating they’re too restrictive.
31% of young employees have tried to bypass security
Nearly half of office workers aged 18 to 24 believe security measures waste their time. But a whopping 31% have actively tried to circumvent security. This stat highlights the significance of security awareness training and a people-oriented process for SaaS management.
30% of files are shared with personal accounts
A 2023 report revealed that 30% of the time, files are shared with personal accounts, bypassing corporate policies. There are an average of 54 shared resources (such as files, folders, or SharePoint sites) per employee.
35% of employees forward work email to personal accounts
Over one-third of workers forward email to their personal accounts. This leaves companies exposed to security risks related to data leaks and intellectual property.
11% of data employees paste into ChatGPT is confidential
In 2023, Samsung discovered employees inputting confidential data into ChatGPT, including source code and transcripts from internal meetings. As an emergency measure, the company limited the AI platform’s usage internally.
42% of employees use personal email accounts for work
A Statista report from 2020 revealed that nearly half of employees use personal email accounts not approved by IT teams for work, bypassing company policy.
35% of employees use video conferencing tools not approved by IT
The same report revealed non-approved video conferencing platforms were used by 35% of employees. This was especially true during the onset of remote work caused by the pandemic.
Only 28% of millennials are satisfied with workplace technologies
In a 2023 study, less than one third of younger employees were satisfied by workplace tools and technologies. This was followed by Gen X (37%) and Baby Boomers (46%).
27% of remote workers spend money on digital tools
A 2023 survey revealed employees are spending more of their own money on digital tools. This signals a knowledge gap between leaders and what their employees need to be successful.
Only 75% of security training covers shadow IT practices
When asked if their company’s IT security policy covers unapproved software, hardware, and cloud services on work devices, 25% of survey respondents were either unsure or responded “no.”
Less than 6% of monitored login events are through SSO
According to data from our ASM tool, 94% of all logins are through username and password confirmation. This creates a real hassle for offboarding employees securely.
18% of remote workers have gaming software on their work devices
Nearly one-fifth of employees use their company devices for personal entertainment and communication. Of those, 18% having gaming software installed on their work computer or phone.
Only 56% of employees see shadow IT as a significant risk
The remaining 44% of surveyed employees rank the risk of using unapproved hardware, software, or cloud services as slight to no risk at all.
82% of IT pros have experienced pushback on approved tools
When trying to dictate which collaboration tools should be used, the vast majority of IT professionals (82%) said they’ve experienced pushback from end users.
79% of companies see data loss as the primary shadow IT risk
Other top risks cited by surveyed companies include the interoperability of the approved systems the company uses (65%) and the productivity and efficiency of IT (71%).
69% of companies would prefer shadow IT over losing employees
In a survey of IT leaders, more than two-thirds said that if a highly-valued employee threatened to quit over which tools they can or cannot use, the company would rather give them control to avoid attrition.
Data loss and downtime from shadow IT costs $1.7 trillion yearly
A study from EMC suggested that the data loss and downtime costs that add up from security breaches related to shadow IT equate to a shocking $1.7 trillion annually.
Companies without centrally managed SaaS are 5X more vulnerable
According to Gartner, organizations that operate without centrally managed SaaS lifecycles are five times more prone to data loss or cyber incidents related to misconfiguration.
How can you manage shadow IT risks?
If these shadow IT statistics have you motivated to get into action, start by assessing your IT assets. Identifying the software applications your employees use through ongoing SaaS discovery doesn’t just help to reduce shadow IT risks. This process can help ensure you meet cybersecurity insurance requirements and optimize your SaaS spend management.
Today, this process is easier than ever using modern SaaS management platforms like Auvik SaaS Management.
Before you take the plunge, download The Modern Professional’s Guide to Shadow IT. In this free ebook, we share shadow IT statistics and case studies, tips for evaluating SaaS management platforms, cybersecurity advice, and more. Plus, we’ve included a quiz to help you determine the severity of shadow IT in your organization. Walk away prepared to make a business case for better SaaS visibility and security controls.
What’s your shadow IT risk factor?
Find out in this free quiz and guide.