If an employee fouls out, they probably didn’t have bad intentions. They wanted to get a job done and made a mistake. Employers are often less innocent. Allowing Shadow IT to proliferate is a gamble whose risks outweigh the savings of doing nothing. As Shadow IT grows, there is a good chance that they will lose the gamble – it’s just a matter of time. To prevent an impending security issue, there are a variety of strategies, each with cost and benefit tradeoffs:
Use of Cloud/SaaS apps like Google Apps, Office 365 and Dropbox are nearly ubiquitous and are essential for businesses of every size. The benefits of these apps are clear, but the risks they create is a growing concern. Untrackable, unsanctioned cloud use is the unintended consequence of cloud use. Security is undermined with the growing risks created by Shadow IT. The question is: between the IT department and non-IT employees, who should be responsible for Shadow IT?
Hot potato
While IT departments have made their voices clear that cloud security is important, they don’t often practice what they preach. IT departments used to be the gatekeepers of tech, but cloud apps opened those gates. Attempts to lock down networks often result in increased efforts by employees to bypass the IT department, causing increased tension and risks.
Due to limitations in existing security solutions, the choice is to either overcontrol/block everything or pass off the responsibility. A cloud-specific security solution could provide the best of both worlds but might be financially out of reach. If additional resources for cloud security aren’t available, the only option is clear: open the gates and hope for the best.
With existing firewall technology the gate itself is protected, but each employee is responsible for what passes through it when they use cloud apps. This means that employees can mistakenly invite in strangers by leaking access credentials, or they can leave sensitive client data on unsecured apps. If an employee decides to download everything from the shared drive, this unusual behavior would go unnoticed. Employees can do whatever they want in cloud apps, even if it’s not in their employer’s best interests.
Shooting the potato into your foot
The only glimpse of Shadow IT most businesses see is when something bad happens, and then everyone reacts. If someone behaves in a way that makes the IT department and executives notice, there’s a good chance that whatever happened has irreversible consequences. Who takes the blame?
Cloud app policy breaches are two sides of the same coin. Of course, employees should behave responsibly with new technologies, but employers share the blame. When employers allow Shadow IT to grow, they demonstrate a lack of responsibility with cloud apps every day. To point fingers when the inevitable happens benefits no one.
| Strategy | Cost | Effectiveness |
| Educate employees on comprehensive policies for data governance and compliance | Existing personnel time. | Good. Should be mandatory for every business, but places all responsibility on the employees |
| Increase security, control sensitive data, improve compliance, centrally manage data protection through IT department | Existing internal technology and personnel time. | Better. Putting the control back into IT’s hands can create tension, but reduces risk. |
| Deploy a cloud-specific security solution and manage all cloud activity through IT | Price of new technology and time for IT personnel implementation and training. | Best. Defining a scope and putting financial resources behind a security solution benefits all personnel. |
Instead of waiting for the inevitable to happen, businesses can shed a light on Shadow IT without breaking the piggy bank and annoying users. Cloud specific security solutions created with the midmarket in mind means cloud security is becoming more affordable, easier to deploy and less obtrusive to users.
