Shadow IT: The Dangers Lurking on Your Network, In the Cloud
Users consider lots of freely available cloud apps necessary to get their jobs done. Those same apps give IT anxiety with the security implications that those apps bring when attached to the organizations networks. Are those concerns real or imagined?
We have all seen how today's online knowledge work force takes advantage of the productivity shortcuts that cloud applications offer them. Sharing a file through Hightail or Dropbox is commonplace for anyone wishing to quickly get files in their business partners' hands. Most don't even think twice before opening a link from a cloud file-sharing application when they are expecting an important document.
Frequently, these cloud file-sharing applications are being used without regard to company IT security policies, creating a security hole in business networks. While not malicious in intent, as employees are just trying to get their jobs done, data is being transmitted to and from many networks without the support or even the awareness of the IT department. Frost & Sullivan broadly defines "shadow IT" as SaaS applications used by employees for business which have not been approved by the IT department or acquired according to IT policies.
To determine out the extent of the use of unapproved SaaS applications in the workplace, McAfee employed Frost & Sullivan Stratecast to pierce through the shadows. They surveyed more than 1,000 employees at enterprises in North America, the UK, and Australia/New Zealand in September of 2013. These employees identified themselves as either "decision-makers" or "influencers" of software adoption in their companies.
What was uncovered is that shadow IT is rampant. More than 80 percent of survey respondents admit to using unapproved SaaS applications in their jobs, circumventing security policies to quickly get their jobs done. Almost a quarter (24 percent) of all users stated that this unapproved software meets their needs better than the IT-approved equivalent. The result is that more than one-third (35 percent) of the SaaS applications used in organizations are both unapproved and unsupervised.
SaaS file sharing is one application category that can increase employee productivity because of the ease of online communication and collaboration. The survey indicates that more than two-thirds of employees use SaaS file-sharing, storage, and backup applications in their jobs. However, 11 percent admitted that their SaaS file-sharing, storage, and backup applications were adopted without IT approval.
However, is there any real reason for concern? Are IT security teams simply being control freaks, or is there really a reason to be so concerned about cloud file sharing and storage? Is there really any harm?
Based on our survey findings, they do have every reason to be concerned. These unauthorized data flows make it extremely difficult for businesses to comply with various regulations and maintain a strong security posture. There is high risk in having unauthorized and unmonitored data flows in and out of your business. The research uncovered that security incidents involving SaaS file sharing applications are not all that uncommon.
On average, 16 percent of employees have experienced a security related incident with file-sharing, storage, and backup SaaS applications -- and this is cause for alarm.
Of those that experienced a security incident with Dropbox, 24 percent involved unauthorized access by a malicious actor or criminal and 19 percent involved stolen corporate or personal data. Given the widespread use of Dropbox, IT departments should take notice.
Similar incidents were discovered with regards to Hightail usage. More than a third of all companies reported that sensitive data leaked out of their organization when they had a security incident with Hightail. Another third reported being infected by viruses or malware.
Users of Microsoft SkyDrive who had experienced security incidents with that application reported that 38 percent of the incidents involved unauthorized access to encrypted data and about 28 percent involved sensitive data being leaked outside of their organization. (As of the survey, SkyDrive was renamed OneDrive.)
And unapproved SaaS usage extends far beyond just cloud file sharing. In fact, desktop productivity tools such as Google Apps and Microsoft Office 365 are also used in the shadows and prone to security incidents. In fact, 17 percent of Google Apps users experienced some sort of security incident -- 27 percent of those involved sensitive data leaks. Other SaaS tools, such as collaboration and communication applications, there are also widely used and prone to security issues. For example, 21 percent of Skype users reported a security issue, and 30 percent of that group said corporate or sensitive data was stolen via this application.
What's an IT Manager to Do?
In the age of bring your own device (BYOD) and bring your own IT (BOYOIT), it's time to look for a win-win situation. Trying to block these popular file sharing applications outright can lead to just more unofficial routes of communication and collaboration, further endangering your organization's security. And remember, that guy in marketing is just trying to get his job done. He is not out to get you, he is actually working as effectively as he knows how.
We advocate providing access and supporting a broad range of applications, working with business line managers to uncover which ones best meet their needs. However, be sure to put processes and filters in place to monitor and secure these applications. Implement a security solution that transparently enables secure access to SaaS applications, protects against malware, and prevents data loss.
Take a look across all SaaS applications to see what is being used in the shadows of your network, understand why employees are using it, enable it, and then secure it. If you can prove you are able to balance employee freedom and productivity with securing company data, your IT department will get the recognition they deserve and won't need to worry about vulnerable applications operating in the shadows.
David Bull is McAfee Senior Product Marketing Manager for McAfee's SaaS and on-premises Web and Email protection technologies. He has more than 13 years of experience with both enterprise and SMB focused software, and joined McAfee through the acquisition of Secure Computing in 2008.