Why Employees Ignore the Risks of Shadow IT and What Businesses Can Do about It0
Most people we know are fairly dedicated, hard-working employees. They understand what their companies want from them, and they take pride in delivering on—or exceeding—the expectations.
And yet, as revealed in the 2013 Frost & Sullivan SaaS survey sponsored by McAfee, employees regularly flout company policies when it comes to Software as a Service (SaaS) usage. Worse, most of them recognize that, in doing so, they may be exposing the company to risk.
What would drive an otherwise conscientious employee to break rules designed to protect company assets? It turns out there are two major factors at play, which can be mitigated by a combination of technology, process improvement, and communication.
First, some background. In September of 2013, we surveyed 600 IT and Line of Business employees in different regions of the world about their experiences using SaaS applications to do their jobs. We were particularly interested in examining “shadow IT,” defined as employees’ use of non-approved SaaS applications to do their jobs. Results are published in the Stratecast research paper, The Hidden Truth Behind Shadow IT: Six Trends Impacting Your Security Posture.
The biggest surprise was how pervasive shadow IT is. As described in a previous blog posting, Taking Shadow IT Out of the Shadows, more than 80 percent of employees do their jobs using SaaS applications that have not been approved by the IT department or obtained through IT processes.
Considering that fact, the next big surprise is that employees are aware that SaaS can present a risk to the organization. Nearly half of respondents expressed “high levels of concern” regarding specific SaaS risks. Their top concerns include:
- Sensitive corporate or personal data will be accessed or stolen by unauthorized malicious actors/criminals (cited by 43 percent of respondents)
- Sensitive corporate or personal data will be accidentally exposed to unauthorized users (43 percent)
- Account information (ID/password) will be compromised (41 percent).
What’s more, the fears are largely backed up by experience rather than hearsay. About 15 percent of all employees have personally experienced or perceived one or more “security incidents” (for example, malware infection, data loss, unauthorized or blocked access) associated with using a SaaS application.
So why are employees ignoring your policies and incurring risks to the business by using their own SaaS applications? The survey results pointed to two main issues that businesses need to address.
- Employees don’t know or understand your SaaS policies. Do you have a clear, well-communicated policy regarding SaaS usage? It appears that many of the companies in our survey do not. In fact, nearly 10 percent of Line of Business respondents believe their company does not have a SaaS policy (compared with 3 percent of IT employees). Another 10 percent says they are not sure if they have a policy.
This indicates an IT problem, not an employee behavior problem. If you don’t have a SaaS policy, you can’t blame employees for taking a long lead. If you’re not communicating your SaaS policies clearly and consistently, then you can’t expect your employees to take them seriously, much less take pains to follow them.
- 2. Employees believe your policies and processes inhibit their ability to do their jobs. This perception is at the crux of the Shadow IT tsunami, and it calls for some serious soul-searching on the part of the IT department. Consider the situation your LoB colleagues are in. Their success (in terms of compensation, career path, and perhaps continued employment) depends on achieving increasingly challenging and quantifiable personal objectives, as well as contributing to business goals. With fewer team members handling more responsibility, employees rely on technology tools to help them do their jobs with speed and urgency. a
But then they bump into your restrictive and cumbersome IT processes. According to survey respondents, the reasons for turning to unauthorized SaaS include:
- IT approval process for new software applications is too slow or cumbersome (cited by 35 percent of respondents)
- The non-approved software I use better meets my needs than the IT-approved equivalent (24 percent)
- IT restrictions on approved applications make it difficult to do my job (15 percent).
No wonder employees take matters into their own hands. By selecting their own SaaS, they believe are best positioned to meet their commitments to the company and contribute to corporate success. In that light, it’s easy for them to minimize the risks associated with SaaS. In fact, employees believe that “someone else” (probably IT) is managing the risks of their decisions to use SaaS: 32 percent say that they are “not sure who is responsible for protecting data” in a SaaS environment.
And therein lies the challenge for IT. You don’t want to inhibit employee productivity; that’s just a bad way to do business. And even if you tried implementing a draconian SaaS policy in the name of protecting data assets, it just wouldn’t work in this age of Bring Your Own Device and Internet access. At the same time, it’s unreasonable to expect LoB employees to consider the security implications as they make their SaaS decisions.
Instead, IT needs to incorporate solutions that are employee-friendly, while still protecting the company. This starts with establishing flexible SaaS policies that support employees’ need and desire to choose the tools that will best allow them to do their jobs, while giving IT control and responsibility for ensuring security, compliance, and reliability of solutions.
To put the policy into action, you need to implement the right security technology. Choose solutions that support a broad range of popular business SaaS applications, while transparently enforcing appropriate usage policies and monitoring web traffic. We will talk further about security solutions in a future blog.
Don’t force employees to choose between doing their jobs and protecting the company. Instead, address Shadow IT through a solution that is equal parts policy, technology, and communication. Presented with a flexible solution that balances user choice with corporate asset protection, your employees will be happy to take SaaS out of the shadows.
For more information about how to handle Shadow IT, see the Stratecast report, The Hidden Truth Behind Shadow IT: Six Trends Impacting Your Security Posture.