The biggest challenge is that there's an abundance of SaaS tools that are free to use or have extensive free trials. This often lures employee's in "just trying" a platform and ending up importing critical company data.
Slack and Loom are great examples of SaaS that profited from being "Shadow IT". They gained traction by employee's quickly self-onboarding onto the free-plan, without their IT or Security knowing what data is being shared.
If you block marketing from using the tools they want, they will do it anyway but using personal email addresses like Gmail or something like that especially with the generous free tiers.
Which makes it even worse because you cannot detect that then :/
Shouldn't people just be able to try out new things? How can a company be innovative otherwise?
And at a specific point (e.g. putting customer data into it), they need to start a proper vendor assessment process.
People can absolutely try new things, but time and time again you cannot trust people to not put sensitive data into those platforms and they continually do.
It's always a balance of information security awareness, culture and technological solutions within an organisation.
