Attention, IT Department: You are no longer needed.
I hate to be the bearer of bad news, but your employees have declared you redundant. If the statements above are any indication, these non-IT-employees have transcended their departments to a higher plane where IT is unnecessary: a relic from a bygone era; a dinosaur waiting for the meteor to hit. Even tech spending is drifting away from IT: one-third of a company’s total tech purchases are made by people who don’t report to the CIO.
While your employees may not recognize the importance of IT, others do. This trend — where employees take IT into their own hands by using devices, apps and software for business without IT’s approval — is called Shadow IT and the loosening of IT’s control over security threatens to topple businesses everywhere.
Isn’t it time the IT department regained control?
In the 25 or so years since businesses opened their networks to the World Wide Web, we’ve seen a transition from total security as controlled by the IT department to an employee-driven application and device free-for-all.
It would be difficult to pinpoint where exactly in this transition the Shadow IT trend started, but Phil Hagen, SANS Certified Instructor and Course Author, sees it as starting at a cultural level.
“I believe Shadow IT sprouted from what users perceived as a ‘Culture of No’ on the part of IT organizations. IT was seen as a roadblock to business, so people found a way around it.”
In the beginning, technology flowed down from businesses to consumers. After the dot-com bubble burst, IT vendors switched from targeting businesses with new technology to the growing consumer market. This trend was known as IT consumerization and it meant that consumers started to receive new technology before it hit corporations.
As consumers used new technology in their homes, they also wanted to bring it into the workplace and, eventually, the line between personal and business tech began to blur. Knowing that IT was likely to say “no” to these new apps and devices, employees brought them in anyway, neglecting to consider the security impact.
They gravitated towards removable media to obtain files, first using floppy/zip disks, then CDs, USB flash drives and cards and portable external hard drives. They shared files through unencrypted email and over naked FTP servers. The cheaper and larger that storage got, the more it was accepted and used en masse.
When this new-fangled cloud technology came on the scene, first as grid and utility computing, then with Salesforce.com’s Software as a Service (SaaS) platform and onto consumer cloud storage, it became difficult for IT to keep up. The ever-changing definition of “cloud” added another layer of complexity because IT departments tended to think of cloud as Infrastructure as a Service (IaaS) while employees saw it as SaaS. This lack of consideration for SaaS clouds may have led IT to think they didn’t have a “cloud” problem because clouds were only used for infrastructure.
Get the Shadow IT Infographic
Give management and your users a quick and easy graphic about the threats of Shadow IT. Fill out the form and we’ll send you our infographic plus some other tips for securing your network.
Around the turn of the last century, employees had become much more computer savvy. Using personal cloud accounts like Dropbox and accessing browser-based applications instead of desktop programs became second nature. Cell phones evolved into smartphones and browser-based applications became available as mobile apps.
If IT told employees “no” when they asked for something, well, they’d simply do it themselves, using the technology and devices they already knew. Unfortunately, all of this computer savviness and knowledge didn’t extend itself to security. The technology and applications that had worked at home for employees were not made for wide-scale use at companies. The methods used to share or transfer files, including removable media, email accounts and consumer cloud accounts may have increased efficiency but it also increased security risk.
Won’t Someone Think of the Remote Employees?
With no on-site IT department and a job to perform, what’s a remote employee to do? Take matters into their own hands, it seems.
Remote employees are very likely to engage in Shadow IT because their IT departments are far away and sometimes even in a different country. According to the Connected Enterprise Report by Dimension Data, three-quarters of businesses have employees who work away part or some of the time and a quarter have employees who are entirely remote. The report also showed that IT routinely underestimates the extent to which employees work remotely.
As the global marketplace spreads employees out, IT departments have struggled to balance the needs of in-house users with all the needs of remote workers. Remote workers rely on collaboration tools like phone and video conferencing and many companies don’t place a big emphasis on support for these. Remote workers can end up patching together a solution of various apps and devices that let them be productive when IT isn’t there to help. These unauthorized collaboration methods are one of the most common ways companies are put at risk.
Removable media, arguably a little more popular in the early aughts than now, was never perfect. It was prone to crashing and easy to misplace, but as USB drives became cheaper and so ubiquitous that they were often handed out free at events, employees started using them to store both personal and professional files. Unfortunately, the autoplay feature on PCs made it easy for surreptitiously installed malware to launch automatically from a USB drive, infecting the computer it plugged into as well as those on the network. In a 2012 US-CERT study, it was reported that 25% of computers were affected with malware through this means.
Bring Your Own Device (BYOD)
With the BYOD trend, employees became very comfortable with bringing in their own devices and solutions to solve problems at work without involving IT. Though most of the time employees brought in personal phones and tablets, this extended to other devices as well.
Nick Espinosa, CIO and Chief Security Fanatic at BSSi2 has seen it happen several times.
“We had a new client once who had an employee take it upon himself to edit their firewall and DNS to allow for better performance. As a result of this ‘tweak,’ the entire internal network was given public IP addresses and 100% exposed to the internet. You could literally connect to any of their printers from anywhere in the world and print to it. When we were called in to fix this mess we discovered a rogue FTP agent on their server that was uploading all of their intellectual property files to an address in China.”
Espinosa also saw another user who brought in his own wireless access point from home because he didn’t like the company’s wireless,
“This unit was actually a router that knocked out their DHCP server handing out internal addresses and started handing out addresses that were entirely unrouteable. It brought the entire company down; they probably lost a day of work.”
Email, which most office workers were accustomed to by this time — was another handy way to share files (as long as they didn’t exceed a certain size). While email has only improved in security, it’s still not a perfect way to share sensitive documents.
In fact, in a study done on mortgage industries (the industry that shares some of the most sensitive consumer data out there) found that they were one of the worst offenders when it came to sending unencrypted documents over email. HALOCK reported that 70% of businesses were allowing employees to send personal and financial information over unencrypted email as email attachments. It wasn’t just that these employees were sending out unencrypted emails, but that they were encouraged by managers and owners to use these channels, showing a terrible lack of insight into how secure email is.
Consumer Cloud Storage & Collaboration Tools
As consumer cloud storage and collaboration tools became popular, so did their use in the workplace. Emails and FTP servers fell back and the cloud became the best way to share documents in-house and externally. To people who didn’t understand how the cloud worked, it seemed like a productivity gift from the tech gods.
But the issues with personal cloud accounts are even worse. They are consistently pointed to as the riskiest way companies can store and share files. As Hagen points out,
“Using a file synchronization service such as Dropbox seems harmless until an attacker compromises your credentials and sets up a “live mirror” of your files. The impact is even more severe if the attacker pairs that with something like dropping stolen data in a user’s shared folder.”
A Big Game of Whack-A-Mole
Unfortunately, once users caught on to how easy it was to use these tools, tools that were outside of the oversight of IT, it was hard to stop them. Mostly because you can’t stop something you don’t know is going on. While IT did what they could, it was like a game of whack-a-mole, block off access to one application and employees would find another to use. Block all access on a desktop computer and employees would use their phones or tablets.
To IT, this was incredibly frustrating. They had approval processes for software, applications and devices they used within their organizations. These policies were in place for a reason — they kept their organizations safe and, if regulated, compliant.
To the employee, this was also frustrating. The employee was there to get a job done and if they saw a low-cost or free application that would increase their productivity, then they’d take advantage of it. To them, the IT approval process was long and ineffective. Also, because it wasn’t really their job to consider it, employees didn’t see the risk in using unauthorized applications or cloud accounts that seemed secure enough for their personal files.
Somewhere in between trying to find a balance of the access employees wanted and the security IT required, a disconnect occurred and the problem grew out of control.
And yet, companies continued to ignore it.
Unfortunately for them, Shadow IT is not going away.
What are Employees Sharing?
Everything, really. According to Skyhigh, 15.8% of files in the cloud contain sensitive data. The most uploaded content to file sharing services by employees is confidential company data including financial records, business plans, source code and trading algorithms, among others.
- Following that, the most commonly uploaded data is personally identifiable information, including SSN, tax IDs, phone numbers and addresses.
- After that, it’s payment data, including credit card, debit card and bank account numbers.
- Finally, the last most shared is protected health information (PHI), including patient diagnoses, medical treatments and medical record IDs.
According to the same report, the most popular cloud-based file sharing and collaboration services were Box, OneDrive, SharePoint Online, Dropbox, ShareFile and Google Drive. On average, companies are uploading 5.6TB of data to file sharing services every month. Here’s the breakdown from SkyHigh on the amount and type of collaboration tools the average organization has.
61 file sharing services (Google Drive, Dropbox, etc.)
57 development services (SourceForge, GitHub, etc.)
45 content sharing services (YouTube, Flickr)
35 social media services (including tools like Buffer)
29 tracking tools (tickets, chat logs)
24 business intelligence applications (dashboards)
And on the individual level, users have an average of 8 collaboration services, 5 file sharing services and 4 content sharing services.
The Risk of the Cloud
In 2015, the Ponemon Institute’s Risk of Insecure File Sharing report noted that very few companies have any process or procedure in place to protect their files and data. They found that the riskiest behavior was the use of cloud file share/file sync-and-share tools. The risk dropped significantly when it came to tools that were situated on-premise or home-grown.
So, just how many of these tools were employees using? In CISCO’s much talked about 2015 Cloud Consumption study, they surveyed IT departments to see how many cloud services they thought their companies used. Their answer: 51.
In fact, the average amount of cloud services used by employees in these companies was 730. That’s 15x more cloud services than IT departments expected them to use.
It was clear at this point (just last year) that cloud and device sprawl was out of control. Following the rapid rate that cloud storage was multiplying, CISCO predicted that by the end of 2015, there would be “more than 1,000 external cloud services per company.”
Out of 16,000 cloud services, only 8.1% are in compliance with the data security and privacy requirements for enterprise as defined by Skyhigh’s CloudTrust program. Again, businesses have chosen to ignore this problem, even though the average organization experiences 19.6 cloud-related security incidents a month, according to Skyhigh Networks. These threats can include anything from malicious and accidental insider threats, privileged users threats, compromised accounts to attacks that use the cloud as a vector for data exfiltration. Think it wouldn’t happen to your business? Skyhigh found that 92% of companies have their cloud credentials for sale on the dark web.
Why Companies Ignore Shadow IT
At this point, it’s not if you are affected by Shadow It, but to what extent. You probably know your company has Shadow IT issues; if you are in IT, you are positive it’s an issue and you are in the thick of it every day, dealing with the problems that crop of because of it.
Knowing this, why do companies continue to ignore Shadow IT? Espinosa sees it as something companies will keep ignoring until something serious happens.
“It’s not a reality to a business until it happens to them. Businesses balance trust in their employees versus the cost to tighten up and deeply control the network. Can a business afford an hour of downtime due to Shadow IT? A day? A week? Is it ok if sensitive data is stored online in weakened cloud solutions?”
Espinosa sees it as IT’s job to help the leaders of the company find a balance between that trust and the cost of failure.
Shadow IT is Good for Productivity and Innovation
We can’t forget that Shadow IT does have its benefits. In many cases, it’s been shown to encourage employee innovation and increase productivity. Employees would normally be praised for finding a better way to work. Work smarter, not harder, right?
By turning to personal cloud accounts, applications and devices, employees have found a better way to work. A consumer cloud account can share large files faster than breaking them up over several emails. A smartphone or personal tablet can let them keep up with client emails on the go. A note-taking app can be accessed from anywhere.
In many cases, employees had to find ways to work better since IT wasn’t giving them the tools they needed to get their jobs done. For instance, many companies have collaboration tools for internal use, but no tools for use in collaborating with clients.
Even business departments encourage their use. A March poll by NTT Communications of UK, French, Spanish and German companies found that “60% of decision-makers not working in the IT department said unauthorized cloud services could boost productivity and efficiency.” Eight out of 10 respondents believe having their data in an unauthorized cloud is essential to the operation of their department and businesses that do use these cloud services grow 19.6% faster than their non-cloud-using counterparts.
What’s becoming apparent in these studies is that consumer-grade collaboration apps are becoming so necessary for business operations that their removal would be crippling. But so would a data breach. IT departments must find a way to replace these tools with a legitimate, easy-to-use and easy-to-implement alternatives.
Is the Reward Greater than the Risk?
Right now, the reward of increased productivity is greater than the perceived risk of a data breach. In most companies, the prevailing, if unspoken, thought seems to be “we haven’t gotten in trouble yet, so let’s keep doing it.”
Some, mainly line-of-business owners but also a handful of IT personnel, also think the relatively low costs on Shadow IT might also outweigh the financial risks of a data breach.
That might make sense until you really start to break down the financial costs at an enterprise institution. According to CISCO, the “hidden costs” of unauthorized cloud services can be four to eight times higher than the “visible costs,” which include things like the invoice from a cloud vendor or the charges that hit your card statement each month or year. But what are the hidden costs?
- Hidden costs include:
- Ongoing security issues
- Data enhancements
- Terms and conditions review
- Operating costs
- Hardware or software integrations
- Network issues including downtime
- Data ownership talks
- Litigation concerns
- Contract negotiation and renegotiation
Enterprises are the ones who face the biggest impact here. According to Rick Orloff, Chief Security Officer and Vice President at Code42 in an article from CIO Dive, enterprises face these challenges “because there are more departments with budgets to deploy technology on their network or subnet.”
So, what are the enterprise costs?
Imagine this scenario
You’re an organization with 2,000 employees, and your 50-person marketing department turns to Dropbox for Business. That costs about $125 per user annually, on their middle of the road plan. That’s only $6,250. But considering all those other costs, you’re multiplying that number by eight. That’s a $50,000 annual investment when you consider both the visible and hidden costs.
That’s only one department, and the data is on another network without any of your IT department’s oversight, making 100% regulatory compliance nearly impossible.If 1,500 employees at that same organization used Dropbox for Business without IT’s oversight (which isn’t far-fetched given some of the numbers in this article), you’re looking at visible annual costs of $187,500; when you include hidden costs, that annual number jumps to $1,500,000. That’s a lot of zeroes for something IT doesn’t control.
Not all Shadow IT should be treated equally, but there the type that should be locked-down right now is file-related Shadow IT. Letting files live unmonitored in various insecure places can lead to hefty regulatory fines, data breaches and even lawsuits. Tack those figures onto the $1.5 million we just covered and you’re easily looking at an eight-figure nightmare for your business.
Luckily for IT, those same eight-figure numbers can help when speaking to managers and executives about file-related Shadow IT. They’ll want a solution, especially with all the headaches we’ve uncovered, and we’ll get to those shortly.
It’s Not My Problem
Another reason companies ignore Shadow IT is that the cause is deep within several departments. There’s not one easy solution in a single department, which leads to everyone coming down with a case of “it’s not my problem.”
On the surface, Shadow IT looks like an IT department issue, which is why they’re always the ones blamed. But take a look at any of these Spiceworks threads and you’ll see the frustration IT staff feel when faced with the Shadow IT issues that plague their company. Employees and management bypass them on tech decisions, and then turn back to IT when they need help fixing applications and devices that IT had never even seen, let alone installed.
To IT staffers, it’s a “cultural issue that starts at the executive level.” For example, user Jeff Jones pointed out that, upon their release, iPhones were not secure enough for business use, yet executives were the first ones asking the IT departments to get them set up. When employees see executives do it, they follow that lead-by-example mindset. According to Espinosa, “At its core, Shadow IT is the fault of the company and its IT leaders for not keeping up the network to current standards and also not listening to their employees’ needs.”
It’s also a management issue, IT can block the applications, but if an employee consistently goes around IT, it’s not IT’s job or place to reprimand the employee. Managers may want to blame IT, but it’s their job to manage their staff. If, in the end, that is not working, then it becomes an HR issue.
Hagen believes that there’s often a favorites games amongst departments. “If a sales team makes the case that IT is hindering revenue, management will side with sales.” It’s a short-sighted case of following the money, even though businesses could end up owing more later on in security lapses and reputation damage.
In order to have the most successful outcome, IT, management and HR must all work in conjunction to resolve the issues their business face.
Solving the Shadow IT Problem
There’s no denying that Shadow IT is a complex issue. And it’s one that many vendors have started to provide solutions for. Beyond a product, there are several things that businesses can start doing now to slow the spread of the shadow.
Remember that “Culture of No”? It may not exist anymore, but in employees’ minds it still does. Increasing communication and transparency are two of the most important ways to slow down the rapid growth of Shadow IT.
In order to get people to trust that the IT department will listen to them, IT staffers need to be in open communication with employees.
“Most importantly,” says Espinosa, “there has to be a process in place where employees can request whatever they need from the IT staff, beyond trouble tickets, and those requests must be responded to in a timely manner.”
He adds that employees want to work within the system but if they go through the proper channels and they are ignored, they will figure out their own solution.
A good way to find out how and what employees are doing, as well as how they feel, is to survey them. Send out a company-wide survey and make it anonymous so employees won’t feel like there will be retribution if they tell the truth. Ask them what applications or devices they’re using and why. The “why” is important — do employees feel like they can’t get their job done with the tools they have? Is there a tool out there that IT already has that the employee just doesn’t understand?
From then on, IT should have an Open Door Policy where employees feel comfortable sharing their needs as well as the outside ways they’ve found work for them better than current methods. Transparency all around will pull much of the Shadow IT behavior out of the darkness, while also preserving the innovation and productivity of employees.
Implement Security Training
People like to know why they can’t do something and quarterly or yearly training is a great place to explain exactly why. With the newly opened channels of communication, IT departments can start to share the risks that come with sharing files on personal cloud accounts and unencrypted email accounts. If IT is hosting a seminar, management will need to support them by making attendance mandatory and enforcing it.
In addition, compile a policy that details what is allowed and not allowed when it comes to file sharing behavior, cloud use and device use. It should be very well known and followed by everyone in the organization (yes, even those in the C-level suites).
Centralize Ultimate Authority and Responsibility
Who’s in charge? Is it IT? Is it management? Is it the CIO? If you don’t know then it’s guaranteed that your employees don’t either. Hagen recommends having the CISO in charge and gives several tips for it:
- Have a separation between the CISO and CIO, because the two positions have competing interests
- Get the ear of the business line management to make the case for secure operating processes such as users not having administrative access and deployment of application whitelisting at scale
- Give them a budget to facilitate visibility, whitelisting and other solutions
- Create a mission charter that allows them to perform their job in support of the company and organization
Changing a company’s management or culture style can be a challenge, but it will help the issue immensely.
Conduct Regular Audits
It seems like logical but many companies don’t conduct audits. The 2015 Ponemon Institute study found that 65% of IT managers surveyed said that their businesses did not conduct audits to find out if their document and file sharing activities were in compliance with laws and regulations in the last 24 months.
Hagen adds that this is an important step, even though it can be difficult.
“Dealing with [Shadow IT] requires visibility and organizational discipline. Visibility means knowing each and every application that runs in your environment. If you don’t have a solid and continuous software inventory, you’re out of luck — period.”
Adopt New Technologies: The Hybrid Solution
If tools are successful with your employees and safe, then adopt them. Or find one that lets employees work the way they have been, with easy access from anywhere.
For instance, on-prem file management tools like SmartFile are engineered for IT governance and designed for the employees with various access requirements. They replace legacy storage, FTP servers and cloud accounts in your business. Even if the hard and soft costs make tools like SmartFile a five or six figure investment, they’re obviously worth it because they cut the 7-figure Shadow IT related visible and hidden costs.
On-prem file management tools fall into the hybrid IT sector. Teams that have established a hybrid IT infrastructure, one that contains traditional and cloud environments, realize tremendous gains in productivity.
According to an IBM study, 9/10 organizations of all sizes that have implemented hybrid IT solutions like SmartFile say they get a greater ROI than an all traditional or all cloud environment. 82% say that it streamlines workflows and enables them to more efficient by improving productivity. Finally, 81% say they believe tools like SmartFile reduce Shadow IT.
Organizations recognize that an on-prem tool that creates or exists within a hybrid IT environment provide value and reduce costs. How does this happen? By reducing troubleshooting tickets created, streamlining file related workflows, eliminating training on clunky tools and by consolidating services so fewer systems are needed. Most importantly, they’re designed for the end user, but engineered for IT.
IT leaders can take this data to their colleagues across the business and explain that not only will hybrid IT solutions curtail Shadow IT, but they will reduce costs and improve productivity. From a business perspective, unauthorized tools are more costly in terms of revenue and risk and often fail to produce the results the employee is looking for. This solution should help begin institutional change.
So, What Is Your Business Going to Do?
You’ve been informed and now it’s time to take action — are you going to address Shadow IT in your company…or keep ignoring it?
You can lay the foundation today to bring IT processes out of the darkness with open communication, transparency, training and active monitoring. Additionally, by adopting tools, like a hybrid cloud, that your employees will actually use, IT and management can lessen the stranglehold that Shadow IT has on employees and companies.
Get ready to take back control.
Check Out This Shadow IT Infographic
Get the Shadow IT Infographic
Give management and your users a quick and easy graphic about the threats of Shadow IT. Fill out the form and we’ll send you our infographic plus some other tips for securing your network.