I write a lot about insider risks and the damage they can do to a company’s security operations. The default thinking of insider threats is almost always one of two situations: purposely malicious activity (someone taking advantage of privileged access to steal data, for instance) or accidental malicious activity (clicking on a phishing link). However, we need to take a much closer look at shadow IT and the risks it causes.
New research from Spiceworks does just that. It found that while the vast majority of IT professionals (92 percent) said any of the applications, especially cloud applications, used on the company network should be vetted for security, that vetting isn’t happening. Instead, Spiceworks reported:
… more than 80 percent of IT pros said their end users have gone behind their back to set up unapproved cloud services, with a whopping 40 percent reporting their users "going rogue" five or more times.
This is making data more vulnerable than ever, the report added. This is, in part, because of shadow IT use and the difficulty in tracking where and how much data are being stored outside of sanctioned apps and networks.
It is also, in part, due to the security problems that continue to linger in cloud computing. A Lieberman Software survey found that nearly three quarters of IT professionals want to keep sensitive corporate data out of the cloud and 43 percent said it is too difficult to secure data when it is stored in a cloud application. In addition, eSecurity Planet pointed out results from a Ping Identity survey:
Fully 82 percent of respondents said security has become more challenging as they have moved to the cloud, and 67 percent said they've purchased more security tools as they've implemented cloud solutions.
It’s no wonder, then, that IT professionals are worried about the risks involved with shadow IT. However, IT professionals are contributing to the problem. As a Network World article pointed out, IT professionals are also guilty in using shadow IT:
… since team leaders worked within specific technology domains, their solutions were built within that domain with no consideration of whether other technologies might be more suitable.
What can be done to decrease the security risks that shadow IT poses? IT professionals need to be more responsive to employee requests regarding the use of applications. Many employees see these apps as a way to improve productivity and efficiency, but if IT isn’t acknowledging or responding to requests in a timely manner, these employees just go forward on their own. It may also be that the tools available to employees aren’t easy to use or make work projects more cumbersome. Talking to and listening to employees about what will make their job duties easier to conduct can go a long way in preventing shadow IT use. No, the employee may not always get what he wants – that favored app may be too risky to use for work – but a conversation at least gets the word out.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba