A few months ago, I was asked to write an excerpt on shadow IT for an e-book. I had to decline because I didn’t know much about shadow IT. Heck, I didn’t know anything about shadow IT—or so I thought. I just didn’t recognize it by that name. It turns out that it is a topic I’ve touched on; that whole idea of employees using outside technology, particularly cloud technologies, for business purposes but doing so without permission from the IT department. Thanks to free applications, downloads and the rise of BYOD, shadow IT has become common in the workforce. A study released earlier this year by Frost & Sullivan Stratecast and commissioned by McAfee defined shadow IT in this way:
SaaS applications used by employees for business, which have not been approved by the IT department or obtained according to IT policies. The non-approved applications may be adopted by individual employees, or by an entire workgroup or department. Note that we specified that the non-approved applications must be used for work tasks; this study is not about tracking employees’ personal Internet usage on company time.
The study went on to reveal that 80 percent of those surveyed admitted to using unauthorized SaaS applications, with nearly a quarter of them saying that the reason was efficiency. Unapproved and unauthorized SaaS apps allowed them to do their jobs better.
A new white paper from Landesk warns that serious risks lurk among the rogue applications used by employees. For example, the paper states:
Without the rigorous research that IT organizations undertake for new IT cloud vendors, employees or departments that go it alone may relinquish control of their data unknowingly. In addition, data that includes intellectual property is more vulnerable. What happens if the employee leaves and user names and passwords have not been accounted for?
This laissez faire governance exacts a high price, according to the study. A May 2014 study by Ponemon established a cost of $201.18 per lost or stolen customer record. When survey respondents were asked how the current use of cloud services at their companies might impact the probability of a breach, the result was three times.
The solution, according to the Landesk white paper, is to focus on the employees rather than on the devices. It’s a matter of working closely with employees and rather than punishing them for going rogue with their application use, instead talk to them to find out what they are using and why. IT departments might be surprised to find that what their employees are using is actually more beneficial to the organization than the company-approved apps. Or they might find that the employees are unknowingly creating a whole new level of risk with their behavior.
It all comes down to communication. Employees should know why using their own applications outside of IT can be a security threat to the organization, but at the same time, the employees should not feel that they will be punished if they come forward. It’s a matter of working together to improve security efforts.