Why “Shadow IT” Could Mean “Darkness at Noon” for Rising Startups

It’s no irony that the most disruptive of innovative startups are some of the most attractive targets for cyber-attacks. It is indeed an irony that an emerging venture’s rush to get IT capabilities up and running could result in a significant number of security vulnerabilities. Consider this an issue of both culture and execution.

Given a small group of engineers and developers with a strong focus on delivering “the new” to market, the priority of quickly bringing form and function to big ideas may tend to eclipse concerns about IT security policies, procedures and the threats themselves.

Startups in particular tend to rely on easily available cloud-based IT and make significant use of mobile devices. Simple password protection could be the only IT security in place. IT policies are rare and, if a recent study is any indication, they are routinely ignored.

A Frost & Sullivan Stratecast report released this month reminds us of one of the reasons why these vulnerabilities are possible. The survey of 600 IT and line of business decision-makers and influencers in North America, the UK, Australia and New Zealand reported that 80 percent of respondents admit to using Software as a Service (SaaS) applications that have not been approved by their IT departments. Percentage-wise, IT staff respondents were the most at fault in these practices.

Interestingly, a good percentage of these users – 18 percent, to be exact – admitted to having experienced a security issue while using SaaS software, but they believe it’s just quicker to operate this way.

Why this high use of unapproved and potentially risky software? In most cases, according to the study, users are just trying to get their jobs done.

In larger companies with organized IT infrastructures, workers are purposefully circumventing onerous IT policy or requisition procedures by knowingly downloading cloud-based tools from Software as a Service (SaaS) providers, often for free or on their own dime.

The findings shouldn’t be entirely surprising. After all, an entire generation of workers has come up without ever having manually installed software into a computer. The push-button ease of use of cloud-based software apps for personal use creates an expectation of similar ease in the workplace.

But this expectation is even more prevalent in startup environments, where workers regularly access the cloud for free or inexpensive software on the fly.

Some entrepreneurs would likely complain that IT software policies kill the rapid, dynamic atmosphere of a startup.  But the admission of security issues – ranging from malware to password theft and more – indicates that companies large and small are assuming huge risks without a coherent approach to SaaS security.

And then, of course, there is the lure of the targets themselves. Intellectual property and the trade secrets necessary for bringing “the new” to market are valuable to both those who seek to be first to market with their own innovation, and those who seek to prevent them from coming to market altogether.

Companies must innovate or die, after all, and the difference between success or failure for a startup frequently hangs on the details of only a couple customer or partner contracts. Most startups have only a handful of ideas and products. If compromised, the information could be used to undermine key relationships, steal product information, and snuff out the entrepreneur’s dream even as it burns brighter than ever.

The necessary security policy needn’t restrict or control the use of SaaS per se. Rather, to support the startup environment, good security policy should embrace the use of SaaS tools and then take steps to ensure they are appropriately integrated into the IT security environment.

As counterintuitive as it may seem, inclusivity and transparency will allow you to protect access to your intellectual property, your business plans and your client relationships, while still supporting an open and adaptive technology environment. In many cases, applying such policy will even allow you to better conform to the data security requirements of prospective collaborators and customers.

For information on how Intel and McAfee are providing solutions specific to the needs of startups of every stripe, please visit http://www.mcafee.com/us/small-business-security/security-for-startups.html.

Leave a Comment

15 + 19 =