Taking Shadow IT Out of the Shadows
by Lynda Stadtmueller, Program Director, Stratecast Cloud Services
Look around your office. Flip through your business contact list. Chances are that four out of five of your colleagues are violating company IT rules.
This startling revelation comes from a recent Software-as-a-Service (SaaS) survey conducted by Stratecast and sponsored by McAfee. The survey set out to examine “shadow IT,” defined as employees’ use of non-approved SaaS applications to do their jobs. Results are published in the Stratecast research paper, The Hidden Truth Behind Shadow IT: Six Trends Impacting Your Security Posture.
It turns out that the workplace is teeming with non-approved applications. More than 80 percent of employees worldwide are circumventing company policy to choose and use their own SaaS applications. And it’s not line of business (LoB) employees that are “going rogue.” Your IT employees, supposedly the guardians of your corporate digital assets and resources, are slightly more likely than other employees (83 percent for IT, versus 81 percent of LoB employees) to ignore company rules regarding approved SaaS usage.
The issue goes beyond individual employees logging into LinkedIn to check out a customer. In many cases, whole departments are effectively thumbing their noses at corporate policies and choosing and installing SaaS apps to run their organizations. 78 percent of respondents indicated their departments utilize non-sanctioned SaaS apps, even for sensitive workloads such as HR, finance, and legal.
Nor is the usage limited to an app or two. Individual employees average just over three non-approved SaaS apps to do their jobs. IT employees are more likely to be multiple offenders: 19 percent of IT employees say they use more than six unauthorized apps, versus just 4 percent of LoB users.
With numbers like these, it’s clear that “shadow” IT is no longer in the shadows; it has become the norm for business technology adoption.
The causes are easy to trace. The cloud model—and SaaS in particular—lends itself to employees’ striking out on their own. Self-service sign-up portals; access via any Internet connection; free or low-cost, credit card billed subscriptions: all these SaaS characteristics empower individuals to take control of their technology and largely render the IT department moot. Employees have become savvy consumers of technology in their personal lives; they feel equally confident about choosing applications in a business venue.
Yet unfettered individual SaaS decisions can introduce security and compliance risks, performance issues, and inefficiencies to the corporation. Employees understand this, to some extent: in future blog postings, we will take a closer look at employee perceptions and experience with risk factors associated with SaaS usage.
Nonetheless, employees believe the productivity gains they realize by choosing their own SaaS applications offset any corporate risks – a perspective that is unlikely to be shared by corporate IT, security, and compliance officers, who have a broader purview and scope of responsibility.
The challenge for the business is to create the right balance between employee flexibility and corporate asset protection. SaaS policies should support employees’ need and desire to choose the tools that will best allow them to do their jobs—but also ensure standards for availability, security, and compliance.
To have it all, you will need to:
- Ditch the dictatorship. Gone are the days when the IT department had full authority over all technology use. The Bring Your Own Device movement has spawned its software counterpart—Bring Your Own Application. And that’s a good thing: when your employees have freedom over how they do their jobs, they are more satisfied—and more likely to come up with the kind of efficient, creative business solutions you need to stay competitive. Instead of authoritarian rule, build a SaaS policy that gives employees the ability to choose the best applications for their needs.
- Be inclusive, rather than exclusive. There are thousands of commonly used business SaaS products on the market. Don’t force your employees to use just the ones you have approved. Instead, implement a security solution that can provide your employees with access to a broad range of recognized SaaS options, but without compromising your enterprises assets.
- Protect your employees from themselves and others. Giving freedom to select applications doesn’t mean abdicating responsibility. Evaluate a comprehensive security solution, like McAfee® Web Gateway, that can transparently track both inbound and outbound web traffic and provide protection against malware, block undesirable URLs, prevent outbound leakage of sensitive data, and enforce acceptable usage policies.
Employees turn to shadow IT as a way to readily access the tools they believe they need to do their jobs. Help your company bring shadow IT into the light of day with an inclusive SaaS policy backed by a robust security solution that protects users and company assets.
For more information about how to handle Shadow IT, see the Stratecast report, The Hidden Truth Behind Shadow IT: Six Trends Impacting Your Security Posture.