Shadow IT is undermining your security
A new study from McAfee illustrates the ways shadow IT–employees going rogue and using unauthorized devices or apps–is affecting security
By Tony Bradley
December 04, 2013 — CSO — Once upon a time, not so long ago, the IT admin chose exactly what hardware and software would be used by employees. Recent trends like the consumerization of IT and BYOD (bring your own device) have shifted the balance of power, but IT still has to maintain some degree of control over the applications used and where sensitive data is stored. Many users just download apps or start using unsanctioned services, though, and introduce unnceccesary security risks through "shadow IT."
McAfee sponsored a study by Frost & Sullivan to investigate the scope and impact of shadow IT–specifically SaaS (software-as-a-service) applications being used by employees without the knowledge or consent of IT–or sometimes in direct contradiction to established IT policies. The study focuses specifically on apps that are used for work functions—not games or personal services.
That distinction is important, because it gets to the crux of the issue. Sure, employees will spend time updating Facebook, shopping on Amazon, or killing time with Angry Birds. Those are all activities that should be governed by IT policies, and monitored in some way by the IT admin. However, when an employee identifies a legitimate need that isn't being met by the approved applications and services, and goes rogue to find his or her own solution, it's in the organization's best interests to try and understand why, and figure out how to meet the need rather than just blocking access or banning the service.
Shadow IT adds risk and potentially exposes the network or company data to compromise. The worst part is that the IT admin is not even aware that the shadow IT apps are being used, or which ones are being used and by whom, so it's impossible to effectively mitigate the risk and protect the network.
The Frost & Sullivan study found that 80 percent of the respondents admit to using non-approved SaaS applications to get their jobs done. That's four out of five employees using apps the IT admin is not even aware of. Based on feedback from the respondents, it seems that a third or more of the apps that are used are actually acquired and used without the consent or oversight of IT.
These aren't malicious attempts to circumvent policy or subvert the authority of the IT admin. In most cases, users are simply trying to get their jobs done in the most effective and efficient way they can. If they identify a need and find a SaaS tool that helps them get the job done, they just do what they have to do to fill the need.