Shadow IT: Creeping Up on You

I’m all for cloud growth but not if it’s in the shadows of corporate IT policies.
Inevitably unsanctioned cloud deployments will come back to bite the business — via substandard security, data loss, inconsistency, duplication of effort, or plain ‘ol under-the-radar (and hence un-managed) costs.
The study summarized below indicates that shadow IT cloud deployments are a lot more pervasive than commonly thought.
Summary article by Fred Donovan in FierceITSecurity.
Emphasis in red added by me.
Brian Wood, VP Marketing
———

Shadow IT has hidden risks, warns study

A full 80 percent of 600 IT and line of business decision-makers surveyed by Stratecast on behalf of McAfee admit to using non-approved cloud applications in their jobs, a practice known as Shadow IT.
More than one-third of all SaaS applications in the enterprise are not approved by the IT department, the study estimates.
Surprisingly, IT employees use a higher number of non-approved software-as-a-service applications than other company employees, the survey found.
More than one-third of IT respondents use a non-approved SaaS app because, “it allows me to bypass IT processes,” and 18 percent agreed that IT restrictions “make it difficult to do my job.”
Microsoft Office 365 is the top unapproved SaaS application, with 9 percent of respondents admitting to using that app, followed closely by Zoho with 8 percent, LinkedIn with 7 percent and Facebook with 7 percent.
Not surprisingly, these non-approved apps have led to security incidents, with 15 percent of SaaS users experiencing a security, access or liability event.
“Without appropriate knowledge, non-technical employees may choose SaaS providers or configurations that do not measure up to corporate standards for data protection and encryption. They may not realize that their use of such applications may violate regulations concerning handling and storage of private customer data, leaving the company liable for breaches,” says Lynda Stadtmueller, program director of the cloud computing analysis service at Stratecast, a division of Frost & Sullivan.
Adds Pat Calhoun, general manager of network security at McAfee: “With over 80 percent of employees admitting to using non-approved SaaS in their jobs, businesses clearly need to protect themselves while still enabling access to applications that help employees be more productive. The best approach is to deploy solutions that transparently monitor SaaS applications and other forms of web traffic, and uniformly apply enterprise policies, without restricting employees’ ability to do their jobs better.”
http://www.fierceitsecurity.com/story/shadow-it-has-hidden-risks-warns-study/2013-12-04
——-

McAfee Finds Eighty Percent of Employees Use Unapproved Apps at Work

SANTA CLARA, Calif.–McAfee has released the results of a market research survey designed to uncover the extent and risks of unauthorized Software-as-a-Service (SaaS) applications. The study, conducted by Stratecast, a division of Frost & Sullivan, found that more than 80 percent of survey respondents admit to using non-approved SaaS applications in their jobs. Furthermore, IT employees use a higher number of non-approved SaaS applications than other company employees.These SaaS applications are also referred to as “Shadow IT,” which is broadly defined as the use of technology solutions within an organization that have not been approved by the IT department or obtained according to IT policies. Frost & Sullivan estimates that the overall SaaS market in North America alone will grow at a rate of 16 percent CAGR, reaching a market value of $23.5 billion USD by 2017. The cloud also makes it relatively easy for employees to acquire and deploy SaaS applications without involving the IT department. As a result, many applications are used by corporate employees and others (such as contractors or business partners) without the participation or approval of the corporate IT department.
Research Highlights:

  • More than 80 percent of survey respondents admit to using non-approved SaaS applications in their jobs.
  • Nearly 35 percent of all SaaS applications used within the enterprise are non-approved, contributing to Shadow IT.
  • Microsoft Office 365 is the top unapproved SaaS application (9 percent of respondents), followed closely by Zoho (8 percent), LinkedIn (7 percent) and Facebook (7 percent).
  • On average, 15 percent of users have experienced a security, access, or liability event while using SaaS.
  • IT professionals use Shadow IT more than business users (81 percent of Line of Business users, and 83 percent of IT users).
  • 39 percent of IT respondents use unauthorized SaaS because, “it allows me to bypass IT processes”, while 18 percent agreed that IT restrictions “make it difficult to do my job.”

“There are risks associated with non-sanctioned SaaS subscriptions infiltrating the corporation, particularly related to security, compliance, and availability,” said Lynda Stadtmueller, program director of the Cloud Computing analysis service within Stratecast. “Without appropriate knowledge, non-technical employees may choose SaaS providers or configurations that do not measure up to corporate standards for data protection and encryption. They may not realize that their use of such applications may violate regulations concerning handling and storage of private customer data, leaving the company liable for breaches.”
So what makes these employees act rogue and deploy non approved applications? In many cases it is not malicious at all – in fact they are trying to do their job better, or make it easier. In a hypercompetitive global business environment, in which companies are looking to increase tight margins, employees are increasingly being measured on results, in some cases, with their jobs at risk. So they will do whatever it takes to meet their job objectives, which presumably contribute to the company’s own business objectives.
“With over 80 percent of employees admitting to using non-approved SaaS in their jobs, businesses clearly need to protect themselves while still enabling access to applications that help employees be more productive,” said Pat Calhoun, general manager of network security at McAfee. “The best approach is to deploy solutions that transparently monitor SaaS applications and other forms of web traffic, and uniformly apply enterprise policies, without restricting employees’ ability to do their jobs better. These not only enable secure access to SaaS applications, but can also encrypt sensitive information, prevent data loss, protect against malware, and enable IT to enforce acceptable usage policies.”
With SaaS application adoption continuing to grow, companies need to develop policies that strike the right balance between flexibility and control. IT and business leaders need to work together to create and support policies that enable employees to use the apps they need to be productive, with controls in place to protect data and minimize corporate risk. McAfee offers organizations the solutions that can provide the access, security, and control needed to meet the growth of SaaS applications.
About the Study:
The survey questioned more than 600 IT and line of business decision-makers or influencers in North America, the UK, Australia and New Zealand. Two-thirds of the employees surveyed came from companies with 1,000-10,000 employees, and one-third from companies with more than 10,000. To view a copy of the full report visit www.mcafee.com/us/resources/reports/rp-six-trends-security.pdf.
About McAfee
McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), empowers businesses, the public sector, and home users to safely experience the benefits of the Internet. The company delivers proactive and proven security solutions and services for systems, networks, and mobile devices around the world. With its Security Connected strategy, innovative approach to hardware-enhanced security, and unique Global Threat Intelligence network, McAfee is relentlessly focused on keeping its customers safe. http://www.mcafee.com