[NoPicklez]

Having also worked with many corps around this area for many years

It also comes down to appropriate procurement processes. Employees should not be able to buy or procure anything without requiring them to assess the inherent risks that service will introduce. Those risks include the cyber/information security related risks of that service including SaaS platforms.

You should not be able to purchase an use any technology service without a risk assessment and that includes SaaS platforms, to identify if the information you're providing to that platform is secure.

[PhLR]

The biggest challenge is that there's an abundance of SaaS tools that are free to use or have extensive free trials. This often lures employee's in "just trying" a platform and ending up importing critical company data.

Slack and Loom are great examples of SaaS that profited from being "Shadow IT". They gained traction by employee's quickly self-onboarding onto the free-plan, without their IT or Security knowing what data is being shared.

[thanksgiving]

If you block marketing from using the tools they want, they will do it anyway but using personal email addresses like Gmail or something like that especially with the generous free tiers.

[mathiasn]

Which makes it even worse because you cannot detect that then :/

Shouldn't people just be able to try out new things? How can a company be innovative otherwise? And at a specific point (e.g. putting customer data into it), they need to start a proper vendor assessment process.

[NoPicklez]

People can absolutely try new things, but time and time again you cannot trust people to not put sensitive data into those platforms and they continually do.

It's always a balance of information security awareness, culture and technological solutions within an organisation.

[PhLR]

100%. Instead keep track of where they sign up with their business email and explain why they can't use those tools.