Choice and Control are Key to Thwarting Shadow IT

What does it take for a Software as a Service (SaaS) app to appear on the list of top Shadow IT offenders?  According to a recent survey, not much.

Stratecast and McAfee conducted a survey with over 600 IT and Line of Business employees about their use of SaaS (authorized and unauthorized) in the workplace. Results are published in the Stratecast research paper, The Hidden Truth Behind Shadow IT: Six Trends Impacting Your Security Posture.

Non-approved SaaS transcends every category of business software. The top category is business productivity (e.g., Microsoft Office 365, Google Apps), with 15 percent of all employees admitting to utilizing these non-authorized applications.  Such software is used by nearly all employees, nearly every day, in nearly every job, so it is not surprising that many have developed strong preferences for a particular package.

Social media applications, led by LinkedIn and Facebook, are used by 12 percent of respondents without official approval.  Many companies are still working through their social media policies, in some cases limiting “official” social media use to the public relations or customer care departments.  Use of such business tools by other employees may occur beyond IT’s purview.  However, unmanaged use of such platforms can invite risk to the corporate reputation as well as potentially violate security or compliance policies.

Perhaps more surprising is the widespread and growing departmental use of non-approved SaaS in categories associated with critical or proprietary data, for example, HR, legal, and financial systems.  By circumventing or ignoring corporate mandates, these organizations are exercising their right to choose the software they believe will best support their business goal attainment.  Yet, in doing so, they may be introducing security and compliance risks.

The survey results show a clear message from employees:  Let us decide what software tools we use to do our jobs. 

IT leaders would do well to heed that message.  When it comes to selecting software tools, IT rarely has the purview or depth of knowledge to make the right choice for every employee in every department. And rarely is the same tool appropriate for all employees.  As we have seen in previous blogs, employees just want to do their jobs faster, better, and more easily – and only they are positioned to understand what that will take.

However, for those entrusted with protecting corporate data assets, employee choice brings not only challenges, but risk to the business.  Therefore, the answer is to support SaaS choice – but install controls over how the software is used.  This approach shifts the role of IT from purchaser of SaaS to protector of data and employees.

Here are suggestions for establishing a SaaS-friendly yet controlled environment in your business:

  • Allow SaaS choice. Start from a presumption that employees should have some choice over the software they use. Instead of selecting one SaaS vendor for each function, seek to offer a broad range of the most popular business software applications – and make sure your security solution allows your employees to access them securely.
  • Make sure your security solution is transparent and comprehensive.  Choose a solution that automatically and proactively performs security tasks, such as protecting against malware, blocking undesirable URLs, and preventing outbound leakage of sensitive data.
  • Mitigate risks in commonly-used applications. Look for a solution that offers policy-based control over sub-functionality of commercial software—for example, allowing users to access Facebook but restricting the “chat” function, or automatically encrypting files before they are uploaded to a file-sharing site, like Dropbox.
  • Make sure your business safeguards data and complies with privacy regulations. Data loss prevention, available as an integrated feature in some secure web gateway solutions, can monitor SaaS traffic for sensitive information, such as credit card numbers, and (based on your preference) encrypt or even block the data and issue an alert.

Shadow IT occurs when IT policies do not keep pace with employee needs, preferences, and ability to procure the SaaS tools to do their jobs. Rather than fighting a losing battle to restrict employees’ SaaS usage, IT should support employee choice, without compromising company security and liability. The right security solution can help you find the balance of choice and control.

For more information about how to handle Shadow IT, see the Stratecast report, The Hidden Truth Behind Shadow IT: Six Trends Impacting Your Security Posture.



Leave a Comment

fourteen − 5 =