The pandemic-driven shift to remote work has revived anxiety about shadow IT. Lacking many of the technology tools they used in the workplace, home-bound employees were quick to turn to cloud-based applications and services — often without the knowledge or permission of the company’s IT organization.
Cloud providers report triple-digit growth in the use of their services in 2020, although few organizations have much insight into what their employees are using. One study finds that most executives believe their teams are using about 30 cloud apps and services, although the actual number approaches 2,000.
It is believed that as many as 80 percent of U.S. knowledge workers are using non-approved apps in their jobs. There’s no malicious intent — most aren’t even aware they are violating company policy. They’re just looking for ways to be productive and efficient while bypassing notoriously cumbersome IT provisioning processes.
Nevertheless, the lack of governance does create risks. IT can’t secure, monitor, patch or update applications it doesn’t know are being used. There’s no way to know where data within those apps is located, making backup and recovery impossible. That increases the risk of data loss or leakage and could create violations of regulatory requirements.
Given the risks, there’s a natural inclination to try to address the problem by blocking cloud applications and limiting users’ ability to use anything outside the realm of IT. However, that may prove to be counterproductive. The grassroots adoption of IT services and solutions is actually driving high levels of employee engagement, innovation and productivity.
Recent studies illustrate why companies should embrace and accommodate shadow IT. Employees working remotely during pandemic say access to cloud-based applications and services have helped them be more productive than they expected. According to one survey by the Lucid market research firm, more than two-thirds of remote workers said they got more work done in less time with improved work-life balance.
Instead of trying to limit shadow IT, organizations should conduct an honest evaluation of why users are looking to the cloud for answers. Can your legacy applications and processes meet modern workload demands? Does it take too long to identify and deploy new applications that could be more useful?
With a better understanding of the roots of the issue, organization can take a variety of steps to balance company security with user productivity. Here are four practices to consider:
Encourage standardization. Remote workers often employ a variety of free, cloud-based solutions for collaboration, conferencing, file-sharing and more. Reduce risk and limit exposure by standardizing on business-class versions of these services. They may require subscriptions, but they will also offer significant security improvements, including encryption, authentication, monitoring, auditing and centralized policy management.
Enhance visibility. A cloud access security broker (CASB) sits between on-premises IT infrastructure and the cloud to enforce IT policies and access controls. A CASB provides full visibility across all cloud-based applications, including those that haven’t been officially sanctioned by the IT department.
Plug data leaks. Data loss prevention (DLP) solutions help IT discover, monitor and manage sensitive data in motion across the network. DLP solutions can identify sensitive information stored in cloud environments in violation of policy, and prevent users from downloading or copying data onto an endpoint.
Be more responsive. Only 12 percent of IT departments follow up on all employee requests for new technologies, according to a new survey by Entrust Datacard. Slow IT processes can frustrate employees and lead them to introduce even more unapproved technologies. DevOps practices that integrate software development with IT operations can increase IT responsiveness.
Shadow IT does create risk, but it can also deliver significant rewards. Cerium can help you design and implement a plan that allows you to strike a balance between security and productivity.