Last week, CipherCloud revealed the results of a survey regarding the use of shadow IT. The study found that of the 1,100 cloud applications used in an enterprise setting, 86 percent of those are being used without authorization of the IT department.
Fellow IT Business Edge blogger Arthur Cole believes that, despite the high use of shadow IT within the workspace, the practice’s decline is inevitable. He wrote:
Now that the cloud has taken a firm hold in the enterprise, shadow IT will diminish naturally as internal resources gain the flexibility and availability that knowledge workers require. In fact, you could argue that shadow IT is a net positive for the enterprise because it creates the impetus to shed aging, silo-based infrastructure in favor of a more flexible, dynamic environment. And ultimately, this will allow many organizations to abolish their IT cost centers entirely in order to focus resources on more profitable endeavors.
I can’t say I disagree with the premise, but from a security perspective, we can’t depend on what might happen in the future while ignoring today’s very real risks. As the CipherCloud study revealed, IT departments greatly underestimate how many shadow IT apps are being used within the enterprise. If IT departments don’t know what apps are used, how can they provide any level of protection?
However, it isn’t fair to put all the blame of shadow IT on the general work population. According to a study by Stratecast and Frost & Sullivan, 80 percent of employees are using unauthorized cloud applications on the job, and it turns out that IT personnel are among the worst offenders. My question is that if IT staff wants to use certain applications, why aren’t they taking steps to authorize the apps and improve the security efforts? Perhaps they are, but if they aren’t, then I’d say that we still have a long road ahead of us before shadow IT declines in the workplace.
Of course, IT personnel may take the attitude of their co-workers – they know there are risks, but they just aren’t that concerned about them. As a ZDNet article explained, shadow IT can be dangerous for data:
Close to half of both IT and line of business users, for example, acknowledge that shadow IT may expose valuable or sensitive data to the wrong parties. In fact, 15% of employees say they are personally aware of incidents in which data was compromised.
Lynda Stadtmueller, who wrote the report for the Stratecast and Frost & Sullivan survey, speculated that perhaps workers are just numb to all of the security threats out there. I agree, and I’ll take it one step further: A lot of people believe that a security breakdown will never happen to them, so they don’t see the point in worrying about it—especially if it doesn’t involve their personal information.
So maybe, one day, we’ll figure out a real workable solution to shadow IT, but first, it appears there has to be a huge change of attitude about how much it is being used and the risks involved.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba