One of the big IT trends of 2014 has been shadow IT, which is commonly defined as when employees bring their own tech into the workplace to make their jobs more efficient. Shadow IT can take the form of an extra WiFi router in a remote part of the building, mobile devices that are unsupported by the corporate IT department – or even a part of the company that purchased cloud services from an outside vendor, without the approval of the company.
While employees may feel that they’re taking initiative and finding ways to get their jobs done (and serve customers) better and faster, shadow IT has risks inherent in it that can harm the entire company. Security may not be at the same level as the rest of the company’s IT systems, potentially exposing company IP or employee/customer data to cybercriminals. Unknown tech may harm a company’s efforts to be in compliance with industry regulations. Unknown tech may also slow down or negatively affect the systems that IT has put in place. The ends do not justify the means when it comes to shadow IT.
Recently, the Cloud Security Alliance released a study that backs this up. The “Cloud Usage: Risks and Opportunities” study found that IT professionals are gravely underestimating just how many cloud applications exist in their business environments.
54 percent of IT and security professionals said they have 10 or fewer cloud-based applications running in their organization, with 87 percent indicating that they had 50 or fewer applications running in the cloud. The survey authors believe that these estimates are far lower than what is commonly reported by vendors (and used in research reports) – which is about 500 cloud applications present, on average, per enterprise.
The survey also found that these shadow IT users – bringing their own cloud applications into the workplace environment – isn’t a problem, as they felt that little sensitive data was being stored in the cloud.
This lack of awareness points to two issues that, if you’re running IT for your company, you need to deal with immediately:
- Audit what is in use. Find out what employees are using and what they’re using it for. Even the most seemingly innocent application may be sharing critical data in the background or showing cybercriminals where something is located.
- Educate employees. Don’t just say no or restrict access. Show them how something can be a liability and needs to be adjusted.
There is also an action that you should take as the IT director: learn from what you found employees using. For them to bring in outside technology and applications should tell you something: what corporate is providing isn’t enough for them to work effectively.
If you’d like to know more, we took an early look at this trend and the idea of bring-your-own-cloud (BYOC)in Cloud Computing Journal, adding in some good tips on how to deal with shadow IT. In short, however, work with your employees to re-shape what is provided. Adopt what they’ve been using company-wide, or find safe alternatives. Review and sign-off on specific applications that can be used. Build in additional protections to company data so it can be used securely in these cloud environments.
Bring-your-own-device (BYOD) and BYOC can work as policies, as long as you don’t work against your employees – instead working with them, making them understand why both their efficiency and company security are important.