Network Brainiacs
Tip #18·Cloud & SaaS

Shadow IT is hurting your business.

Every month, employees sign up for tools you don't know about. Shadow IT leaks data, breaks compliance, and multiplies your attack surface.

At most small businesses we audit, there are 2-3x more SaaS tools in active use than the owner thinks. Somebody needed a quick way to sign a PDF. Somebody else tried a new AI tool. A team signed up for a free Trello board to manage a project. Every one of those logins holds company data — and none of them are under anyone's control.

Why it's worse than it sounds

Shadow IT doesn't just multiply your attack surface. It fragments your data across tools with different security postures, different breach histories, and no way to revoke access when someone leaves. It breaks compliance for regulated industries (HIPAA, PCI, SOC 2) because there's no BAA, no audit log, no policy governing those tools. And when a breach happens at one of those vendors, nobody at your company knows to act.

What we typically find during audits

A mid-sized services firm believed they used 12 SaaS tools. Our audit found 47 in active use with company email addresses.

Red flag: Three had suffered recent breaches. Two held client data with no BAA. Employees had signed up for all of them personally.

A property management company's bookkeeper kept all receipts in her personal Dropbox so she could get to them from home.

Red flag: Years of receipts, owner information, and banking data sat in an unmanaged account that left with her when she quit.

How to get control

  • Audit your OAuth apps in Microsoft 365 or Google Workspace — you'll see every tool employees have signed in with company credentials.
  • Publish an approved SaaS list. Tools not on it require a quick review before use.
  • Require business-tier accounts (not personal freemium) for any tool that touches company data.
  • Make it easy — slow approvals are why shadow IT starts in the first place.
  • When an employee leaves, revoke OAuth grants as part of offboarding.

Not sure what's in your stack?

A one-session shadow IT audit usually finds 20+ tools the owner didn't know about. Often it's the first step toward a real security posture.

Do this today
  • 1Run a shadow IT audit this quarter — OAuth apps plus expense reports give you 90% of the picture.
  • 2Publish an approved SaaS list and a quick request process for new tools.
  • 3Require business-tier accounts for anything touching company data.
  • 4Build OAuth revocation into your offboarding checklist.
  • 5Review the approved list annually — tools you've outgrown leak through employees.

Want help securing your business?

Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.

Schedule a quick security review

Keep reading

Tip #14 · Cloud & SaaS

Microsoft 365 settings every business should turn on.

Microsoft 365 ships with insecure defaults. Five settings take under an hour and shut the door on the most common cloud attacks.

ReadTip #28 · Cloud & SaaS

SaaS password hygiene.

Your employees use 80+ SaaS tools. Reused passwords across any of them turn one small breach into a company-wide incident. Here's how to fix it.

Read
Back to all tips