Businesses move slowly. Decisions can take an age to work through the various levels and departments of a large enterprise. Entrenched thinking, vested interests, and regulatory concerns frequently prevent large businesses from being as agile as they might, especially when it comes to big decisions like IT deployment. In many cases, that leaves employees working with legacy tools and systems. Most employees want to be as productive as possible, which means using the most efficient tools. When it comes to information technology, those tools are to be found on cloud platforms.
A recent study from Skyhigh Networks revealed that rather than conforming to company IT policies, employees are doing an end-run around glacial decision-making processes and adopting cloud platforms and technologies on their own initiative, creating “shadow IT” systems that fall outside of corporate oversight.
In a survey of 40 businesses, Skyhigh Networks discovered that, on average, businesses are using hundreds of different cloud services, but the vast majority of them posed a potential security risk because they aren’t subject to the company’s security and regulatory procedures. It’s not that the services were insecure in themselves necessarily, but that without policies to manage their use, workers may be inadvertently exposing their employers to unforeseen problems.
For example, data sovereignty is of particular importance to many large companies; they need to be aware which regulatory frameworks apply to their customer and employee data in order to maintain compliance. Canadian and European companies often prefer to keep data within their respective borders, but employees are unknowingly using cloud products that store data in the US.
According to Rajiv Gupta, Chief Executive of Skyhigh Networks “Cloud services certainly enable agile, flexible, and efficient businesses, and employees should be encouraged to use services that best suit their working style and enhance their productivity. However, it is evident from this study that too many employees are still unaware of the risks associated with some cloud services, and could even be jeopardizing the overall security position of their organization.”
There are two ways that companies could deal with shadow IT infrastructure. They may choose to impose penalties on employees who ignore IT policy, or they could make the decision to embrace employee adoption of cloud services and institute official solutions to the problems employees are seeking to solve, bringing cloud adoption under the aegis of proper management processes.
While many managers may be disinclined to take the latter route, this is one instance where the employees probably know better. If they feel that existing company-sanctioned systems are cumbersome, inefficient, and harmful to productivity, it’s in the best interest of managers to give serious consideration to those opinions. Employees aren’t doing this to make life difficult for their bosses, but because they want to remove frustrations that are preventing them from doing their jobs as well as they might.
Either way, companies need to be aware of the problem of shadow IT and educate their employees as to the potential risks of using unvetted and unverified cloud platforms.