According to McAfee, the explosion of cloud-based software-as-a-service (SaaS) has significantly contributed to the growth of what has become known as ‘shadow IT’ in the workplace. Shadow IT sounds scary, but what is it really? You can think of it as employees using business applications that aren’t on the corporate menu. Shadow IT is detrimental for the long-term stability of organisations, and despite its good intentions, puts companies at greater security risk.
In a Cisco study last year, CIOs were asked how many cloud apps their business users were running in the shadows. Their answer: fifty. The real answer? Seven hundred and thirty. Clearly, shadow IT is a bigger problem than most CIOs realize. But it causes many concerns for both the IT department and the business as a whole, especially when it comes to the security of company data.
The most common technologies being implemented through shadow IT tend to be consumer-grade technologies and popular consumer apps such as Facebook and Google Apps, partly because of the ease of implementation, but also because they are very popular with employees. However, applications like these bring with them very loose security measures which can jeopardise a company’s overall data security programme.
How can shadow IT in the workplace be prevented?
- Processes – We’ve written before that, when combined, people, processes, and technology are the magic combination for a successful security organization. When it comes to processes, automation is key. An effective way to streamline security processes is to automate configuration auditing, security updates, and vulnerability scanning, among others. This way, key processes can happen faster, keeping your security posture stronger.
- Social – Amazingly, many large enterprises are still using siloed legacy systems that hamper communication across the business and restrict employees in what they can do with the technology available to them. Instead, all businesses should be paying close attention to social functionality when reviewing their IT systems. Innovation in this area can be used to create user interfaces that are similar to employees’ favourite consumer websites, and can often lead to new ways of communicating across the business.
- Elect a Leader – Choose someone whose job it is to lead security efforts. For larger teams, this may be a ready-made choice, like the CISO or security manager. But for smaller teams, it may be someone from IT or DevOps. Whatever the case, the important thing is that all communication and decisions for security-related matters go through this person.
- Mobile – Whilst many businesses now have mobile friendly consumer facing websites, internal communications often lack this same mobile capability. Forward-thinking business that make investments in improving the internal mobile experience and invest in business-to-employee tools can make aspects of their employees’ jobs much easier, faster and more enjoyable. In turn, employees will not need to resort to using their own devices or their preferred programs and applications.
A lack of communication is at the heart of the Shadow IT issue, and an empowered security leader can facilitate the right conversations and share information across teams to ensure that incentives are aligned at the end of the day. Whilst there are a lot of operational issues brought about by the shadow IT trend, it must also be noted that there can be some benefits as well. The instant reaction to employees using unsecured or unapproved software or applications may simply be to ban them, yet businesses should first take a step back to look at employee engagement with the technology tools that they are choosing to use. Ultimately, employees will do as they wish to some extent, but those businesses that show willingness to compromise and listen to their employees’ wishes will fare best in the long run.
Scope Logic are Security Leaders who can assist your business manage the evolving world of system security and the risk of Shadow IT, complete the following survey to go into a competition to win a System Health Check, Consultation and Vulnerability Assessment Program valued at over $3,500.00.