Tech Insight : Shadow AI and Shadow SaaS Risks?

A Next DLP survey (conducted at RSA Conference 2024 and Infosecurity Europe 2024) has revealed how the rise of ‘Shadow SaaS’ and ‘Shadow AI’ may be putting businesses at risk of data loss, lack of visibility, and data breaches. 

What Are Shadow SaaS and Shadow AI? 

Shadow SaaS refers to the use of software-as-a-service (SaaS) applications within an organisation without explicit approval from the IT department. Similarly, Shadow AI involves the deployment of AI tools and solutions without official oversight. The issue for businesses is that these shadow technologies often bypass the stringent security protocols and oversight that sanctioned IT solutions are subjected to, thereby creating potential vulnerabilities. 

Prevalent 

One notable fact that the Next DLP survey established is the prevalence of SaaS applications in organisations, with almost three-quarters of security professionals (73 per cent) admitting to using SaaS applications that had not been provided by their company’s IT team in the past year. 

Key Findings from the Next DLP Survey 

The Next DLP survey, which captured insights from industry professionals at two major conferences, appears to have revealed some of the more potentially negative implications of the use of Shadow SaaS and Shadow AI in organisations. For example, the survey reveals three primary areas of concern – data loss, lack of visibility, and data breaches. 

Data Loss 

The unregulated nature of Shadow SaaS and Shadow AI can mean that sensitive data can easily be transferred, shared, or stored outside the secure confines of the company’s IT infrastructure. However, one key issue highlighted by the Next DLP survey, is the apparent disparity between employee confidence in using unauthorised tools and the organisation’s ability to mitigate the risks. For example, 65 per cent of respondents named data loss as a top risk of using unauthorised tools, and it appears that (according to 40 per cent of security professionals) employees may not fully understand the data security risks posed by shadow SaaS and shadow AI. 

The survey respondents noted multiple instances where critical business data was inadvertently exposed or lost due to the use of unauthorised applications and AI tools.  

This data loss can not only hamper business operations but also puts companies at risk of non-compliance with data protection regulations. 

Lack of Visibility 

Another significant challenge highlighted by the survey appears to be the lack of visibility over shadow technologies. Without proper oversight, IT departments cannot track or manage these applications, making it difficult to enforce security policies or detect anomalies.  

The survey indicated, for example, that 62 per cent of respondents are concerned about the lack of full visibility and control of the SaaS and AI tools being used within their organisations, thereby leading to unmanaged risks and potential security gaps. 

Data Breaches 

The integration of unauthorised applications and AI tools also significantly increases the risk of data breaches for organisations. For example, shadow technologies often lack the strong security measures that are standard in approved IT solutions.  

The Next DLP survey reflected this by showing that just over half (52 per cent) of respondents see data breaches as a top risk of using unauthorised tools. The survey also reported an apparent surge in security incidents linked to shadow applications, with many businesses experiencing breaches that compromised sensitive information. For example, 10 per cent of respondents admitted they were certain their organisation had suffered a data breach or data loss as a result of Shadow SaaS usage  

Data breaches not only result in financial losses but also damage the reputation of the affected companies. 

Understanding of Shadow SaaS and AI Risks 

As previously touched upon, the Next DLP survey also revealed gaps in employee training and awareness regarding Shadow SaaS and AI risks in their organisation. For example, it showed that 40 per cent of security professionals believe employees do not understand these risks, and only 37 per cent have developed clear policies and consequences for unauthorised tool use. Also, 20 per cent admitted to being unaware of their company’s policy updates or training on these risks and 20 per cent also said they hadn’t received any guidance and updated policies in the past six months. 

Such findings, therefore, appear to highlight the need for improved awareness and education on managing shadow technologies. 

What To Do? 

To mitigate the risks associated with Shadow SaaS and Shadow AI, businesses may, therefore, benefit from adopting a proactive approach and using key strategies such as: 

– Enhanced monitoring. Implementing advanced monitoring tools to detect and manage unauthorised applications. 

– Employee education. Training employees on the risks of using unapproved technology and the importance of adhering to company policies. 

– Robust policies. Developing and enforcing clear and comprehensive IT policies that address the use of SaaS and AI tools. 

– Promote approved alternatives. For example, encouraging the use of approved and secure alternatives to unauthorised applications can help reduce reliance on risky shadow technologies. Currently, only 28 per cent of organisations promote such alternatives. 

– Regular audits. Conducting regular audits to identify and remediate any instances of shadow technology usage. 

What Does This Mean For Your Business? 

The findings from the Next DLP survey reveal a critical need for businesses to address the growing risks associated with Shadow SaaS and Shadow AI. The prevalence of unauthorised tools, combined with the significant risks of data loss, lack of visibility, and data breaches, all highlight the urgency for a strategic response. 

For businesses, this means taking proactive steps to manage and mitigate these risks. For example, implementing advanced monitoring tools can help detect and control the use of unsanctioned applications and AI tools. By gaining full visibility into the tools employees use, businesses can better enforce security policies and detect anomalies early. 

Employee education is another way to mitigate the risks. Training staff about the dangers of using unauthorised technologies and the importance of adhering to company policies can significantly reduce the likelihood of data breaches and other security incidents. Developing and enforcing clear and comprehensive IT policies can also help ensure that all employees understand the consequences of using unapproved tools. 

Promoting the use of approved, secure alternatives, encouraging employees to rely on sanctioned applications and having regular audits are also ways that businesses can minimise the risks associated with Shadow SaaS and Shadow AI, identify and address any instances of shadow technology usage, and ensure continuous compliance and security. 

Adopting these kinds of proactive strategies may mean that businesses can safeguard against the vulnerabilities posed by unauthorised applications and AI tools, protect their sensitive data, and enhance their overall security posture, thereby helping to avoid the pain of financial losses and reputational damage.