A new McAfee survey has discovered that eighty per cent of employees are using non-approved SaaS (Software-as-a-Service) applications at work. Alarmingly, the worst offenders amongst those surveyed were those working in IT who used more unauthorised apps than any of their co-workers.

Stratecast suspects that this is a case of IT employees’ overconfidence in their ability to assess risks, as well as their greater familiarity with a range of SaaS solutions. Like parents who down a latte and doughnut while admonishing their children to eat a healthy breakfast, it may be a case of “do as I say, not as I do.”

The use of non-approved applications, also known as ‘Shadow IT’, can have serious business implications. Not only do they pose direct security threats such as increasing the risk of data loss or infection with malware, they can also cause regulated businesses to fail compliance audits.

Lynda Stadtmueller, program director of the Cloud Computing analysis service within Stratecast, says,

“There are risks associated with non-sanctioned SaaS subscriptions infiltrating the corporation, particularly related to security, compliance, and availability.

Without appropriate knowledge, non-technical employees may choose SaaS providers or configurations that do not measure up to corporate standards for data protection and encryption. They may not realize that their use of such applications may violate regulations concerning handling and storage of private customer data, leaving the company liable for breaches.”

With Frost and Sullivan predicting a compound annual growth rate of 16% in the SaaS market, culminating in an industry worth $23.5bn by 2017 it is easy to see why some employees may look top applications that haven’t been approved by the IT department. Additionally, cloud computing also makes it easier for staff to acquire and deploy their own SaaS applications without going through the IT pathway.

The key findings of the McAfee report highlight that:

• More than 80 percent of survey respondents admit to using non-approved SaaS applications in their jobs.
• Nearly 35 percent of all SaaS applications used within the enterprise are non-approved, contributing to Shadow IT.
• Microsoft Office 365 is the top unapproved SaaS application (9 percent of respondents), followed closely by Zoho (8 percent), LinkedIn (7 percent) and Facebook (7 percent).
• On average, 15 percent of users have experienced a security, access, or liability event while using SaaS.
• IT professionals use Shadow IT more than business users (81 percent of Line of Business users, and 83 percent of IT users).
• 39 percent of IT respondents use unauthorized SaaS because, “it allows me to bypass IT processes”, while 18 percent agreed that IT restrictions “make it difficult to do my job.”

So why are workers using non-approved apps? Besides the suspicion that IT workers are overly confident, the report concludes that the main reason why workers are choosing to use such apps is a basic need to get their jobs done.

Survey responses suggest that the IT division could actually be exacerbating the problem for a number of reasons:

• Gaining approval from the IT department took too long
• Users were more familiar with non-approved apps
• Approved apps didn’t sufficiently meet the user’s needs
• IT blocked use of an app that was required to get the job done
• The IT department put restrictions on approved apps that made it difficult to work with
• Employees were actually unaware that they needed approval to use unauthorised apps in the first place

In the tough labour market of today many employees are looking for apps that allow them to get their jobs done in the most efficient manner. So, instead of malicious intent, it is far more likely that users are attempting to use non-approved apps simply to achieve deadlines and keep hold of their jobs.

Pat Calhoun, general manager of network security at McAfee said,

“With over 80 percent of employees admitting to using non-approved SaaS in their jobs, businesses clearly need to protect themselves while still enabling access to applications that help employees be more productive.

The best approach is to deploy solutions that transparently monitor SaaS applications and other forms of web traffic, and uniformly apply enterprise policies, without restricting employees’ ability to do their jobs better. These not only enable secure access to SaaS applications, but can also encrypt sensitive information, prevent data loss, protect against malware, and enable IT to enforce acceptable usage policies.”

So how do you address the use of Shadow IT within your organisation?

Frost and Sullivan suggest the following 7 steps:

1. Establish a SaaS policy that aligns with your business objectives
2. Protect your enterprise in a way that is transparent and
   comprehensive
3. Be inclusive, rather than exclusive
4. Mitigate risks in commonly-used applications.
5. Make sure your business safeguards data, and complies with privacy
   regulations
6. Implement identity and access protection.
7. Communicate – communicate – communicate!

Read more by clicking here (pdf)