You put a lot of time and effort into making sure your systems are secure and running efficiently. But a pair of surveys show that still might not be enough to stay safe in the face of a growing concern, shadow IT.
Shadow IT is a term that covers a lot of ground. Essentially, these are the services and applications that are used within a business without IT’s knowledge, approval or management. It may seem like it would be difficult to have rogue applications running right under IT’s nose, but these surveys show it’s happening – and at an alarming rate.
Most of it is thanks to the cloud.
Shadow IT and the cloud
According to a recent survey by 2nd Watch, 61% of companies bypass IT in order to access cloud services. And the same survey found that 93% of those companies surveyed already had cloud solutions in place.
Taken together, that shows that many users have options if they want access to the cloud, but they’re choosing to go it on their own rather than using the IT-approved options.
The study’s author revealed in an interview that some respondents reported users would set up and take down public cloud accounts multiple times before IT could even learn about them:
[Respondents] said they’ve given up on central IT being able to respond as quickly as they need. They’re now going to this stutter-type approach where they launch a site, keep it up and running for two weeks, pull it down, and launch another site. And central IT’s inability to react that fast has driven them to provision this stuff outside of the corporate IT network.
Applications also slip by IT
If that 61% figure sounds high, you might be surprised to learn it could actually be on the low end. A survey by Frost & Sullivan [PDF] found over 80% of respondents said their department uses non-approved SaaS applications.
And even more surprising is who was using these non-approved apps:
- IT departments were more likely than others to use apps that hadn’t gone through an approval process, and
- IT also used more of them than other departments.
So essentially, there is even shadow IT within the IT department.
Why does it happen?
If you want to stop shadow IT in the workplace, it’s important to take a step back and realize what factors are leading to it:
- It’s easier than ever. Ask your users if they’ve ever used a cloud app four or five years ago and you’d be greeted with blank stares. But today, the cloud is almost getting to be common knowledge – and with services like OneDrive, Amazon Web Services and Google Drive, it’s easier than ever to set up and use. Even if your users don’t recognize what the public cloud is, chances are they’ve used it at least once.
- Approval takes time. Getting IT to approve a device, service or system won’t happen instantly. And it shouldn’t. Before allowing services to be used, you should be absolutely sure they’re secure and acceptable. But some users don’t want to wait for that process to play itself out.
- Users just don’t understand. Some users might not know your policies on the cloud. To them, one service is just as good as any other, whether it’s provided and monitored by IT or not.
We can’t leave you without action steps. So here are three things you should do now to help mitigate shadow IT and bring users back into the fold.
- Provide multiple choices. If you can, allow for multiple choices when it comes to cloud storage and applications. This gives users some say in the matter – if they’re not enamored of a particular service, but have another approved choice, they’ll be more likely to use it than to go outside your systems.
- Update them on policies. Have a quick talk with users to remind them of your policies (or send out an all-points email). Describe the kinds of services they can or cannot use, and be sure to mention names of specific programs or services that are allowed or not. This will clear up confusion over terminology.
- Practice what you preach. Even though most IT pros are probably able to tell if a service is secure or not, go through the motions of approving it if your IT department uses it. By establishing that the rules apply to everyone, you have more credibility when correcting users who violate policies.
Check out a sample cloud services policy here.