“Shadow IT” is stepping out into the light of day. Business users are eagerly embracing the cloud and especially Software-as-a-Service (SaaS) in search of cost-effective productivity tools for file sharing and storage, collaboration, social media, and anything else that makes them more effective on the job. But the problem is these well-intentioned, hardworking employees are putting their organizations at risk by accessing unapproved applications that could lead to malware, data loss, or other vulnerabilities.
According to the Frost & Sullivan report, The Hidden Truth Behind Shadow IT, more than 80% of line-of-business and IT employees surveyed worldwide use non-approved SaaS applications. We are seeing a “BYOA” (bring your own application) revolution in action, and if unmitigated, will open up unnecessary holes in your organization. You can however, make it a good thing from every angle if you put the right security solutions in place.
Businesses are already sold on the fact that vendor-hosted applications keep IT overhead costs down—less need for additional investments in infrastructure or time-consuming tasks like updates, testing, management, backup, or recovery. But are organizations paying dearly in other ways for all these benefits? As the report suggests, we could be our own worst enemy in this regard—and there’s a lot that can be done about that.
Let’s take a look at the top five SaaS applications commonly used in business today. Here’s what “the survey says” about companies with more than 1,000 employees. These figures reflect the percentage of respondents who said they used these applications:
- Microsoft Office 365 (49%)
- LinkedIn (46%)
- Facebook (45%)
- Google Apps (40%)
- Dropbox (36%)
So clearly, use of SaaS applications in the enterprise isn’t going away. In fact, the practice is growing.
What about the percentage of people who use unapproved SaaS applications? The report states that this ranges from 6% to 8% for individual applications. The names are familiar to all of us—and it’s not just Facebook. More often than not, users are accessing legitimate business tools like Microsoft Office 365, Zoho, LinkedIn, and Google Apps. And contrary to what one might think, the people who are “going rogue” are really just interested in doing whatever it takes to get the job done—an admirable motivation, you have to admit.
But dedication and good intentions aside, employees who deploy SaaS applications can put your organization at serious security risk of data loss, breaches, or attacks. And, as the survey points out, a high percentage of users are even well aware of the risks. For example, approximately 40% of both IT and line-of-business respondents perceive that sensitive corporate and personal data could be accessed or stolen by malicious actors or exposed to unauthorized users. And about 15% of participants have either experienced or perceived a security incident—malware infection, data loss, unauthorized or blocked access—associated with using a particular SaaS application.
These incidents span all categories of applications, though, not surprisingly, social media, like Facebook, LinkedIn, and Google+, top the list. Nonetheless, the level of risk involved in using these applications doesn’t seem to be affecting user behavior.
What proactive measures can your IT department take to help reduce risk and keep SaaS-related security events from potentially compromising your security posture, your valuable data, and the safety of your employees as they work?
- Establish a broad SaaS policy that provides your employees with the flexibility to be creative and use the tools they need to give your business a competitive edge.
- Provide employees with access to a wide range of applications rather than restricting their choices.
- Look for security solutions that will minimize common risks with policy-based controls, instead of completely shutting down a SaaS application.
- Implement transparent and comprehensive enterprise protection with solutions like McAfee Web Gateway to help protect employees during their online activity.
- Deploy data loss prevention solutions to monitor SaaS traffic for confidential assets like credit card numbers or personally identifiable information.
- Minimize password chaos and possible theft with an identity and access management solution.
- Have regular dialogue with employees about security policies and practices and the type of SaaS applications they are interested in using.
Want to coax “Shadow IT” out of the shadows and incorporate secure usage of SaaS applications in your organization? Take the first step and learn more about web application control with McAfee Web Gateway.
Watch this video for more details: https://www.youtube.com/watch?v=sNqIt45M_8A.
Or visit our website: http://www.mcafee.com/us/products/web-protection.aspx