IT Pros Share Blame for 'Shadow IT' Problem, Survey Shows
When end users circumvent the IT department and start using software-as-a-service (SaaS) applications without permission, the IT pros complain about the plague they call "shadow IT." But it would seem the professionals are also operating in the shadows, according to a survey out today.
Wed, December 04, 2013
The report entitled "The Hidden Truth behind Shadow IT," was a collaboration of consultancy Frost & Sullivan and McAfee. The survey asked 300 IT pros and 300 line-of-business employees whether they used SaaS applications in their jobs without official approval. Eighty percent admitted they did, with only 19% of the business employees and 17% of IT claiming to be innocent.
Background:Does "Shadow IT" lurk in your company?
The idea of the threat of "shadow IT" has grown with the expanded use of cloud-based applications that can easily and often cheaply be brought into use without the IT department knowing about it all, much less approving SaaS based on security policies.
For the IT department, the reaction has often been, "Oh poor IT, if we could only stop the employees from doing this," says Jennifer Geisler, senior director in McAfee's network security division.
Of the IT pros admitting complicity, 42 percent said they do it because they are "familiar" and "comfortable" using such services. A third said the "IT approval process for new software applications is too slow or cumbersome," echoing the line-of-business managers. A quarter said the non-approved software "better meets my needs than the IT-approved equivalent."
The favorite types of non-approved SaaS applications for all 600 of the survey's respondents were related to business productivity, social media, file-sharing, storage and back-up. The most popular non-approved SaaS applications included Microsoft Office 365, Google Apps, LinkedIn and Facebook, Dropbox and Apple iCloud. Many even said they were planning to increase this non-approved usage for things such as data storage related to ERP systems and financial and legal departments.
The report also indicates that these employees readily acknowledge the risks and liability in what they are doing.
Just under half cited strong concern about the potential for data exposures, theft, or simply not being able to get the data back from the cloud application. Twenty-two percent admitted they had already experienced some security incident with social media, while 16% pointed to a security-related incident in file-sharing, backup or storage.
"Despite their experiences of deep concern, more than 80% of respondents presumably feel justified in continuing to use non-approved services without ensuring that protective IT policies are applied," the survey report states. There's the sense that "the end justifies the means," the report notes.