According to a new survey undertaken by Censuswide on behalf of Symantec, 2-in-5 UK workers have no qualms about downloading programmes, apps and other software onto their work devices without the approval of the company’s IT department.
Such use of unauthorised software can of course be extremely problematic for the smooth running of the business, leading to inconsistent approaches, inefficient working processes and time wasted elsewhere due to incompatibilities between the approved and unapproved tech within the organisation.
Furthermore, the use of non-approved SaaS (Software-as-a-Service) applications at work can pose far more serious issues for the business, such as a lack of compliance with industry regulations and standards, as well as an increased risk of data loss.
Despite the dangers, 42% of the UK workers taking part in the survey circumvented controls anyway, primarily with the intention of improving their own personal productivity through the use of “the same cloud-based apps, programmes or software they use at home and on their mobile device into their working lives, without thinking twice,” the report says.
Unfortunately it seems that age old problem of security awareness is at play again, with a mere 11% of those surveyed understanding that accessing cloud file storage sites presents a security threat, “despite it having potentially huge information security implications for organisations.”
Equally worrying is the fact that over a quarter of the employees taking part in the survey were unaware that web based apps, social media apps, and web based email could result in the security of the business being compromised.
Sian John, security strategist at Symantec, told the International Business Times that,
“Workers are driving innovation in the name of productivity and quality of life, and are bypassing the IT departments in order to find the technology that allows them to do this. Companies shouldn’t try to eradicate shadow IT, but look at how workers can safely weigh up the risks and be empowered to install software to help them work more effectively.”
This report isn’t a one-off either – last year a similar survey by Frost and Sullivan on behalf of McAfee discovered that over 80% of employees admitted to using non-approved SaaS in their jobs, primarily because approval times were too lengthy, the approved software didn’t match their needs or because they were simply unfamiliar with the corporate-approved apps.
So how can you deal with Shadow IT within your own business?
I guess there are two main approaches that can be taken should the issue arise within your organisation.
The first is to adopt the policing approach, hunting down the offenders and simply saying, “NO.” For security personnel, charged with mitigating risk within the organisation, this can be a tempting philosophy to adopt as it, theoretically at least, stops the unapproved use of technology in its tracks.
But is total risk mitigation focus always the best option for the business as a whole?
One negative comment I often see associated with the security industry as a whole is its propensity to appear as a barrier to a business and a cost to be borne in the accounts. So perhaps the topic of Shadow IT can be spun into a positive. Instead of denying it out of hand, how about embracing the possibility and evaluating new and different apps and other programmes (can they be adopted into the company’s IT policy?), assessing whether such software can be incorporated as a benefit to the business (whilst still maintaining compliance needs of course)? That doesn’t mean you have to say “Yes” to every piece of Shadow IT (and you most certainly will want to say “No” to some) but it should go some way to ensuring that the security function will be seen as a department that can offer alternatives rather than just a corporate blockage.