McAfee Study Finds Eighty Percent of Employees Engage in 'Shadow IT' Unapproved App Usage

For a few years now as a result of the Bring Your Own Device (BYOD) phenomena working hand in glove with the explosion in cloud-based third party business-oriented applications one of the most vexing problems for enterprise IT has been how to get a handle a seemingly runaway train named “Shadow IT.” This is the common term now used to describe when employees individually, or even entire lines of business (LOBs), in search of tools that will enable to do their jobs better decide the rewards of using unauthorized  Software-as-a-Service (SaaS (News - Alert)) applications are worth the risks.

In this case the risks of not be rewarded for better job performance trump the risks to the corporation caused by unauthorized SaaS use that exponentially increases the vectors of vulnerability of the enterprise leaving IT in a compromised position to manage risks.

How big a problem is this? According to a new study done by Stratecast, a division of research firm Frost & Sullivan (News - Alert), for security giant McAfee, Shadow IT is rampant. 

The conclusions are based on a recent survey of 600 IT and line of business decision-makers or influencers in North America, the UK, Australia and New Zealand. Two-thirds of the employees surveyed came from companies with 1,000-10,000 employees, and one-third from companies with more than 10,000.

The big takeaway is the one in the headline, 80 percent of survey respondents admit to using non-approved SaaS applications in their jobs. In a bit of a shocker it turns out that IT employees use a higher number of non-approved SaaS applications than other company employees.

Everyone is bypassing IT, including IT itself

As a bit of context, it should be noted that Frost & Sullivan estimates that the overall SaaS market in North America alone will grow at a rate of 16 percent CAGR, reaching a market value of $23.5 billion USD by 2017.  SaaS in short is simply irresistible.

Aside from the fact that it seems everyone is doing it, key findings from the survey include:  

• Nearly 35 percent of all SaaS applications used within the enterprise are non-approved, contributing to Shadow IT.
• Microsoft (News - Alert) Office 365 is the top unapproved SaaS application (9 percent of respondents), followed closely by Zoho (8 percent), LinkedIn (7 percent) and Facebook (7 percent).
• On average, 15 percent of users have experienced a security, access, or liability event while using SaaS.
• IT professionals use Shadow IT more than business users (81 percent of Line of Business users, and 83 percent of IT users).
• 39 percent of IT respondents use unauthorized SaaS because, “it allows me to bypass IT processes”, while 18 percent agreed that IT restrictions “make it difficult to do my job.”

“There are risks associated with non-sanctioned SaaS subscriptions infiltrating the corporation, particularly related to security, compliance, and availability,” said Lynda Stadtmueller, program director of the Cloud Computing analysis service within Stratecast. “Without appropriate knowledge, non-technical employees may choose SaaS providers or configurations that do not measure up to corporate standards for data protection and encryption. They may not realize that their use of such applications may violate regulations concerning handling and storage of private customer data, leaving the company liable for breaches.”

The report is filled with some really interesting charts based on the surveys.  As a bit of a teaser to encourage you to download it in its entirety, the one below on drivers for adoption that includes a comparison of LOB versus IT use is one that stands out.

Source (News - Alert):  Stratecast Report, The Hidden Truth Behind Shadow IT: Six Trends Impacting Your Security Posture

The report also documents that despite willful violation of company policies and rules, respondents do not do so with malicious intent.  They do so, broadly speaking, to get ahead. “With over 80 percent of employees admitting to using non-approved SaaS in their jobs, businesses clearly need to protect themselves while still enabling access to applications that help employees be more productive,” said Pat Calhoun, general manager of network security at McAfee (News - Alert). “The best approach is to deploy solutions that transparently monitor SaaS applications and other forms of web traffic, and uniformly apply enterprise policies, without restricting employees’ ability to do their jobs better. These not only enable secure access to SaaS applications, but can also encrypt sensitive information, prevent data loss, protect against malware, and enable IT to enforce acceptable usage policies.”

Let the trend be your friend

As with much of what is taking place in the technology field in general these days, the report looks at the trends of more devices, more use of third-party cloud-based apps as not just inevitable but something to be embraced. In fact, the authors provide seven tips enterprises should consider that can leverage the value of what today is use of unauthorized SaaS, and doing so as the authors note with an approach, “That protects your business, without implementing a police state.” These include:

• Establish a SaaS policy that aligns with your business objectives.  Ensure your employees have the freedom to find creative solutions to business problems, and easy access to the tools they need to make your business successful. That calls for a broad SaaS policy, rather than a restrictive one.
• Protect your enterprise in a way that is transparent and comprehensive. Choose a security solution that protects your employees from themselves.
• Be inclusive, rather than exclusive. There are thousands of commonly used business SaaS products on the market. Don’t force your employees to use just the ones you have approved. Instead, build your policy around a security solution that can provide your employees with secure access to a broad range of recognized SaaS options.
• Mitigate risks in commonly-used applications. Rather than shut down usage of popular but risk-prone applications, implement a security solution that allows you to control their use. Look for a solution that offers policy-based control over sub-functionality of commercial software.
• Make sure your business safeguards data, and complies with privacy regulations. Data loss prevention, available as an integrated feature in some secure web gateway solutions, can monitor SaaS traffic for sensitive information, such as credit card numbers; and then (based on your preference) encrypt or even block the data, and issue an alert.
• Implement identity and access protection. This is most easily accomplished with solutions that offer strong single sign-on authentication for all SaaS applications.
• Communicate – communicate – communicate! To assure trust is maintained between IT and users, as history have already demonstrated, having policies without communication is a recipe for continued unauthorized use.  There is no alternative, and the report has a few common sense recommendations on this front that can be easily implemented.

There are two ways to look at the survey results. It can be seen as a call to action for IT to clamp down on out of control unauthorized SaaS use, or as an opportunity to not just fix but take advantage of industry trends which can be leveraged without compromising enterprise security.  As the authors correctly point out, it really is in everyone’s interest that the second view is the road to travel.