Shadow IT: What IT Leaders Must Know in 2016

IT leaders are bombarded with marketing messages regarding security and Shadow IT. All those messages blend together into white noise at some point. Then one day, you get an email that stands out from the rest:  A friend, who’s also a client, forwards you a marketing email from one of your former employees. Turns out, that former employee left with all your account information and is leveraging it for their startup. And this is just the tip of the iceberg. Shadow IT rears its ugly head and damage control ensues.

It’s all about the risk
2015 was the year when Shadow IT was in the spotlight. The noise about the risks Shadow IT poses has grown louder. As cloud app use surged and employees’ attitudes towards network security diminished further, IT leaders have watched risks mount, and in some cases, the worst occurred. Business data has been hidden, lost and potentially used for malicious intent. Turning a blind eye means you’ll have a black eye before too long.

You’re aware of Shadow IT. Now what?
Understanding the scale of risk Shadow IT poses enables smart business decisions. You’ll need Cloud Access Monitoring to see how many apps are being used. Most IT leaders guess that it’s around 15. After regular monitoring, the reality is normally greater than 700! Seriously. Knowing the apps employees use is nice, but knowing who is using the apps and how they are using them is critical. Then it should be fairly easy to identify the people who are misusing company data.

Not all cloud apps will grow up
We expect the biggest service providers for business to have their own administrative security panel setup for monitoring and policy enforcement before the end of 2016. The problem is that this is a huge undertaking for each cloud app provider. Those Sanctioned apps that you know about are rarely the problem. It’s the unknown “Rogue” apps that pose the biggest risks. Of the 700+ cloud apps that employees use, the vast majority will still cause Shadow IT risks.

Know Shadow IT’s risks in 2016
If there’s one thing that IT leaders must know about Shadow IT in 2016, it’s an accurate assessment of its risk. Cloud Access Monitor is easy to implement and affordable enough for most SMBs. Firewalls can’t do it and most cloud apps don’t have the controls in place to make it easy, so you need a specialized solution for continual monitoring. That way, if the worst happens, you’ll be able to say you’ve been monitoring the situation, rather than to say you had no idea. After all, knowledge is power.

Don’t Outsource Vendor Risk Management

We all know the many benefits of using SaaS apps and cloud services: boost productivity, cut costs, collaborate better, work from anywhere, yadda-yadda-yadda. If you read our post last week you also know that not all cloud vendors are created equal. So exactly whose job is it to weigh up vendor security and risk?

That’s easy: it’s yours. Just like it’s your job to ensure your data is secure, it’s your job to decide which cloud vendors are safe enough for you to trust with that precious data. Vendor Risk Management (VRM – gots to have that acronym or it’s not real) involves knowing and minimizing the uncertainties—and possible dangers—that come with using third party vendors. It’s one more piece of the cloud security pie.

As it tends to go in the Cloud, you can now find cloud vendors whose sole purpose is to help you assess the risk of cloud vendors. (Isn’t it ironic? Don’t you think?) You can also find lots of whitepapers and studies on VRM. While all this is great—the more resources the better, right?—it doesn’t change that fact that your VRM belongs in your hands. By all means use everything you can to ensure that you’re using only the safest third party vendors. Get input from VRS services or technology, read vendor reviews, and look at what other organizations like yours are using.

But don’t let anyone else make the decision for you. That’s called passing the buck, and if something goes down (like your data is compromised or lost) with a cloud vendor you signed off on because a third party swore by them, that’s not going to fly. You need to create and execute a comprehensive plan to minimize your risks. It’s a dog eat dog world out there. Don’t get bit.