IT must ditch the ‘Ministry of No’ image to tackle shadow IT, writes Len Padilla, pictured, Vice President Product Strategy, at NTT Communications.
Shadow IT brings with it security issues, but as these applications are more often than not on the IT department’s radar, they don’t get incorporated into overall risk management – but how can CIOs best control the threat? Employees purchasing shadow IT without the permission, control or knowledge of the IT department is a growing trend, and one that business departments are increasingly relying on. This is the message that came across from a report: Growing Pains in the Cloud II: the People Vs the Ministry of No by Vanson Bourne, commissioned by NTT Communications (NTT Com) which polled 500 IT and business decision makers of companies with more than 1,000 employees from the UK, France, Germany and Spain. But it is clearly creating headaches for IT departments who are often unaware of these applications until technical problems occur or business departments want to integrate them with other corporate applications.
Shadow IT is growing
Over a third of respondents to the survey said they had used third party cloud applications without IT’s knowledge. Most employees using shadow IT know the risks, but choose to ignore them. Over a third of respondents, for example, admitted they regularly use popular free, unregulated cloud storage applications such as Google Drive, Dropbox and Apple iCloud to share company information. The biggest motivators from the research for business departments adopting shadow IT appear to be speed of set up, followed by ease of use. Cloud has made it far easier for employees to circumvent the IT department to purchase applications and has exacerbated compliance difficulties. It is difficult trying to regain control of applications within an organization, but the challenge becomes far bigger when data is sent, handled and stored by a public cloud provider. Employees often do not know where their data is stored so could inadvertently be contravening the many data protection, compliance and regulatory policies. This will become a serious issue when the EU’s General Data Protection Regulation (GDPR) intended to strengthen data protection comes into force in 2018. The new regulation will put far greater emphasis on data security, accompanied by tougher security rules and a new data breach notification policy. Data protection authorities will have the power to impose fines of €20 million or up to 4 percent of global annual turnover, whichever is the greater, where serious breaches are found.
Risks cloud over
Shadow IT can open up enterprises to a large number of data privacy, compliance and security risks. When cloud-based, or other applications, are purchased and used under the radar, IT departments are powerless to control the flow of data. Cloud service providers may not use identity management, access control or back up as standard, leaving data open to unauthorized access. Despite recognizing the risks, most employees ignore them and feel justified in using shadow IT. Over half of survey respondents using shadow IT had no idea where their data resided and well over a third accepted that their shadow IT actions could put the enterprise at risk. But it appears they carry on reaching out for shadow IT because they believe company policies and processes inhibit their ability to do their jobs efficiently.
Finding a way to work with shadow IT
Some IT professionals see shadow IT and cloud as a threat, undermining their authority and support needed for the enterprise infrastructure. This, however, is a short sighted vision and one that will send shadow IT further underground. Instead of being seen as the Ministry of No, IT departments need to work with business departments to find out why they are using shadow IT and how it can help in sourcing tools that increase productivity, whilst falling in line with corporate security policies. IT departments must as themselves if they are explaining the risks adequately, and if not, how they can become more adept communicators. IT must stop seeing themselves as simply guardians to keeping the lights on. Continuous development in business is essential for business and IT is at the centre of that process. By collaborating with users, IT will glean valuable information on what business actually needs so it can plan strategically for future requirements. Together IT and business departments can create a balance between security and accessibility.
More at http://padilla.net/bio.
