What are unmanageable applications?

Unmanageable applications are a class of applications defined by their lack of support for common identity and security standards. While Shadow IT can refer to any application used without IT and security approval, unmanageable applications often fall into a gray area as they are often tolerated by IT and security and are used by departments or individuals with little to no options for security. Marketing, finance, or any other team that uses applications that haven’t been approved by IT and don’t support common identity and security standards, fall into the category of unmanageable applications.

The growth and use of unmanageable applications have accelerated with the consumerization of information technology. Employees use unmanageable applications to drive productivity and innovation, but the use of these applications introduces risk to a business through data breaches and possible privacy and compliance violations.


Why employees use Unmanageable Applications

Behaviors on employee application choice have permanently shifted in the wake of COVID-19. A new generation of professionals reaching maturity in the era of mobile apps and social media now expect the ability to choose the applications they use to get their work done. In a recent study, 92% of employees and managers said they wanted complete control over their work applications. The majority also said that disallowing an application shows a lack of trust by their employer and would negatively impact how they think about their job.
Today, about 50% of all technology spending occurs outside of IT, trending to 90% by the end of the decade. This shift in the buyer is a significant change that alters the threat model of applications because employees don’t place as high an emphasis on specific identity and security standards as IT and security teams do. This has fragmented and will continue to fragment the application ecosystem further, leading to sustained growth in the use of unmanageable applications.

Unmanageable Application risks and challenges

If an application does not support common identity and security standards, then Security and IT teams will not be able to secure them effectively. Security teams have collectively spent billions building their defenses, but unmanageable applications are typically outside their reach.
Unmanageable applications become risky once employees store and process sensitive information on these platforms. With a lack of support for enterprise-grade authentication, like single sign-on, employees often choose weak passwords and rarely enable features like two-factor authentication. According to the US Cybersecurity and Infrastructure Security Agency, enabling two-factor authentication reduces the risk of getting hacked by 99%. Yet IT and security teams cannot enforce this control when it comes to unmanageable applications.

Is your department in the IT shadows with unmanageable applications?

Non-IT teams can unintentionally add significant risk to a business by using unmanageable applications. Real-world risks include:

  • Re-directed ad spending on social platforms like Twitter, TikTok, and Facebook Business Manager. None of these platforms support enterprise-grade authentication options that marketing teams need to keep their budgets out of the hands of attackers.
  • Account takeovers (an attacker guesses the password or gets the password from a previous breach where a password was reused) due to weak passwords and disabled two-factor authentication. This one applies to every team. Think about the finance team using a banking application with a single username and password shared across the entire team. This is extremely common in the financial services industry with tens of thousands of legacy applications.
  • Application sprawl leading to excessive spending on cloud applications. While this might not be a direct cyber risk, out-of-control spending is a significant concern for CIOs and CFOs. Unmanageable applications are a driver of unbudgeted IT spending.
  • Compliance and privacy fines for storing company data in platforms that do not meet industry security standards.

Benefits of Unmanageable Applications

While unmanageable applications are risky, they are undeniably helpful, or their use wouldn’t be growing in the enterprise. Employees looking to be productive are seeking out the best applications to help them get their work done. In the past, they would have been limited to a set of corporate applications provided by IT. Still, in the wake of the COVID-19 pandemic, employees now default to SaaS applications which fall into the unmanageable category more often than not. This shift in buying behavior is driving product roadmaps away from security features like single-sign and further towards the features users are asking for.

Popular Unmanageable Application examples

  • Applications: Twitter, Evernote, Facebook, Mailchimp, Brex, Wistia, PayPal, Todoist
  • Hardware: Most IoT devices