It’s easy to buy cloud-based applications. Too easy, in fact. According to recent reports, the average small business has 40 to 60 SaaS apps, while the average midsize company has close to 100 or more. Small to midsize enterprises (SMEs) spend as much as 12 percent of their revenue on SaaS.
As much as 20 percent of this spending is wasted. Many of these SaaS applications are redundant, overlapping or underutilized. Employees buy SaaS tools to fill a particular need, not realizing that the organization already has an app that provides the same basic functionality.
There’s even a name for it — SaaS sprawl — and it’s more than just a waste of money. All of these SaaS apps create data silos, inefficient workflows and a chaotic user experience. SaaS sprawl also increases the risk of a data breach.
In some cases, employees buy SaaS apps and then leave the company. Meanwhile, those orphaned subscriptions continue to rack up costs and risks.
When IT Is Kept Out of the Loop
SaaS sprawl is a symptom of decentralized IT spending. Individual departments control significant portions of the IT spend, driven by cloud adoption and “as-a-service” models. This ad hoc approach can increase agility and better align tech purchases with business needs. However, it also leads to hidden costs and creates risks such as shadow IT.
Studies suggest that up to 90 percent of SaaS usage falls outside of IT control, creating security gaps and compliance risks. Only 10 percent to 15 percent of SaaS apps are centrally managed, with major apps such as Salesforce and Microsoft 365 more controlled than niche ones.
Unsanctioned apps lead to blind spots in data flows and integrations, making comprehensive security and management extremely difficult. Data leaks and high-risk activities happen in the browser, invisible to traditional network and endpoint security tools. SaaS users often grant excessive permissions and fail to utilize the app’s built-in security features.
Why SaaS Sprawl Is a Business Problem
SMEs often struggle with SaaS sprawl because they lack dedicated IT teams and strong procurement processes. Reining it in starts with good governance practices that include formal processes for approving new tools. There should be a well-defined process for evaluating SaaS apps and providing users with training and support.
Organizations should also analyze why users are buying unsanctioned apps in the first place. Perhaps the behavior stems from company growth, pressure to increase productivity or overly complex business processes. Perhaps the organization has been slow to upgrade existing software and invest in the tools employees need to do their jobs. By identifying and addressing these underlying issues, organizations can reduce the need for unsanctioned apps.
Effective governance starts at the top, but it should include stakeholders throughout the organization. Management teams should talk to users to understand their needs and the gaps in existing toolsets.
How Verteks Can Help
Verteks can help organizations detect shadow IT using our advanced monitoring tools, which can look for unusual data flows or connections to unknown cloud services. We can also deploy software to inventory installed applications and detect browser extensions that might indicate shadow IT. User behavior analytics can identify suspicious activity, access to banned apps or large data uploads to unapproved locations.
We can conduct periodic IT environment reviews, including risk assessments, to find and address unauthorized technology. Our security awareness training programs educate employees on the risk of shadow IT.
Once we identify all the SaaS apps in use in the organization, we can meet with key stakeholders to identify those that are unnecessary or overlapping. Organizations are often surprised by the amount of budget they can recapture — budget that can go toward IT initiatives that drive the business forward.
Don’t let SaaS sprawl devour your IT budget and create security risks. Let Verteks help you regain control and create a SaaS portfolio that makes good business sense.
