Johannesburg, 08 Jun 2017
The Netskope 2016 Cloud Report found more than 900 apps are being used in the average organisation, and three-quarters of these would not pass the compliance test. Intel's annual cloud security survey found that, globally, 66% of businesses have a public cloud service that wasn't commissioned by IT. For most organisations, it isn't so much that shadow IT might become a problem than it is that shadow IT is already there.
"Human beings have the inherent desire to seek out effective tools that will assist them in getting the job done faster, with less effort and with improved outcomes," says Christo van Staden, Forcepoint Regional Manager, sub-Saharan Africa. "In large organisations and enterprises, these tools may not exist, or they may be less efficient than users would like, so employees look for solutions independently."
Some of the most common examples are cloud storage and collaboration apps such as Dropbox or Trello or Google Docs. These are so popular, users have downloaded them onto mobile devices and computers to help them work more efficiently and use the most recent technology. While these are effective and feature-rich, there is a lack of control and visibility and this introduces risk.
"Unsanctioned technology is most often the by-product of one simple truth - we can't stop what we can't see," says Van Staden. "This is why shadow IT is such a golden, double-edged sword. We can't overlook the all-critical information element and how important it is to the business that assets be protected. There needs to be visibility into user behaviour, adjustments around how we approach security so it focuses on people, and an understanding as to how they use, or intend to use, data."
On the positive side, shadow IT is an incredible phenomenon. It takes the shackles off employees and allows them to become truly adventurous, pushing the boundaries of innovation from anywhere they happen to be. Enquiring minds can experiment with well-designed tools, find their perfect fit and get immediate results. This is a process that would usually take months within the enterprise structures, if it is even sanctioned in the first place.
"IT's ability - sanctioned or unsanctioned - to share ideas and provide input on everything from code to marketing plans, is a big trend," says Van Staden. "Developments within the collaboration space are perhaps the most intriguing in terms of potential and impact. The ability to enable talented resources to share ideas around a virtual table, across borders, industries and countries, is powerful."
That said, with power comes great responsibility and shadow IT's biggest driver - people - are also its biggest downfall. People have access to sensitive data and can potentially share this on apps or services that aren't secure enough, or compliant within the organisation's structures. Security needs to make allowances for bad mistakes or disgruntled employees and find ways of tracking and monitoring behaviour to identify anomalies and mitigate risk.
"When IT is sanctioned, you know where that custom app comes from and what information it saves," says Van Staden. "When it isn't, it could be infected with anything from spyware to ransomware, putting sensitive data and the organisation at risk. It is important to keep the data top of mind and ensure the appropriate controls are in place - this is critical when harnessing the potential of shadow IT."
Society has become incredibly comfortable with the digital universe and an intuitive part of daily life. This familiarity creates a culture where transacting digitally is second nature. Most organisations and employees accept they can engage commercially with anyone in the world, from any device, from anywhere. It is a powerful reality, but it needs to be tempered by wise security and an awareness of the risks involved. Employees need to be trained and educated, shown why apps not approved by IT are potentially risk factors that will lose them jobs and reputations, and guided towards using apps and services that support their roles without the risk. Organisations need to look to finding security strategies that embrace some of the solutions presented by shadow IT, be it an approved app store or an internal dialogue around awareness and system specification.
"From a security perspective, only the data matters," says Van Staden. "It's less about access to information - many people have access to sensitive data - than it is about what we plan to do with it. To understand intent, we need to have visibility into behaviour. Subtle adjustments to how we approach security that focuses on people and how they use or intend to use data will allow organisations to extract the value hidden inside shadow IT."
Share