Cloud Security · Security

Just How Big A Problem Is Shadow IT

Its not a problem until its a problem…

Mickey Fox

This should be enough to give you a bit of heartburn. The average large enterprise as 1200 various cloud services (including PaaS and SaaS offerings) that are in use and 98% of them are unsanctioned and unvetted SaaS apps according to the Enterprise Strategy Group. The definition of a “large enterprise” starts anywhere from 2000 to 5000 employees (depending on who you ask). This is a category that encompasses quite a big section of businesses.

It also means that out of the 1200 apps that their employees are using on cell phones, tablets, and laptops to do work with data that includes things like our home address, cell phone numbers, credit history, etc. that 1176 of those applications are being used away from the prying eyes of the company’s IT department along with vetting by the IT security teams.

Fixing this sad state of affairs is going to take a bit of doing from a few different angles. First, and perhaps easiest, is to have finance and accounting start scrutinizing those procurement card purchases. If you can tell me I tipped the taxi driver on the other side of the globe too much (despite the fact that he lugged all of my Pelican cases and my normal luggage into the hotel and put them on a trolley for me) or that a restaurant charged for the same meal twice (once without a tip and once with), then the tech should exist to audit for those charges as well.

Secondly, IT staff are going need to figure out who is using what and why and how so that they can start addressing those needs. Clearly people feel a need for these apps so it behooves all of us to find ways to provide them workable useful alternatives so that we can discourage them from randomly whipping out a card to purchase something that probably isn’t compliant with corporate security policy. Find ways to make it easy to get approved apps and hard to get unapproved ones and you will see the Shadow IT diminish drastically.

One bad habit I think that a lot of IT departments is the default deny. It goes a little like this….
Employee: Can I use App X? Its really awesome.
IT: No, its not approved.
When the employee runs into that brick wall, this is when shadow IT happens. They have a task that needs to be done and no one likes doing manual data entry and his manager thinks he’s awesome because he’s able to whip out these reports in just a few minutes.

Now lets look at how this conversation should go…
Employee: Can I use App X? Its really awesome.
IT: What is it that you do with App X?
Employee: We use it to record which clients and which client employees attend our WebEx info sessions. It lets us gauge how effective our WebEx sessions are.
IT: Oh, we already have an app for that. It even integrates into WebEx to collect the attendee emails and links them back to their SalesForce records. There will be some set up to do but another product team is already using App Y for exactly the same thing. Let me help you get set up on Y.
Since App Y is already approved, the whole shadow IT issue just got a short circuit.

Another reason people turn to Shadow IT is official IT response times. This is the biggest reason that enterprises should look to Hybrid Cloud. Private, on premise cloud for the data and services that need to stay in house and public cloud from at least 2 cloud providers to provide resiliency. One of the fundamental tenets of Cloud is self-service. If your employees can just go provision what they need and have it in a few minutes, you have just short circuited another of the reasons employees turn to Shadow IT.

If you think you can stick your head in the sand and pretend its not happening, allow me to disabuse you of that notion. Most of America works in small to medium businesses where data breaches are a) common and b) often seriously damaging. Odds of an SMB having a data breach in given calendar year are 1 in 3. For those who are breached, the statistics are grim. 25% went bankrupt within 12 months after a data breach. An additional 10% just ceased to exist. 37% of them suffered “severe financial losses”. In short, 3/4 of those that were breached suffered significant setbacks. IBM’s 2016 study estimated the average cost of a data breach at $7,000,000 without any of the incidental expenses. When incidental expenses, like hiring a PR firm to manage the legally mandated breach notifications, are added, the expense can climb quickly. SMBs, for the most part, just can’t absorb that much of a hit.

SMBs aren’t alone either. Larger enterprises suffer just as badly. While fewer of them will vanish in 12 months after a breach, the effects of the breach linger much longer and impact everything from market performance to executive compensation. If you follow my blog, then you also know that it has long term implications for stock price and thus market cap.

Leave a Reply

Your email address will not be published.