Employees Engage in Rogue Cloud Use Regardless of Security Policies

"I don't think IT realizes how much the way we live life as individuals has completely permeated the enterprise," says Margaret Dawson, vice president of product management at Symform. "This is happening whether you want it to or not."

Analysis: Does 'Shadow IT' Lurk in Your Company?

In a survey of about 500 companies across a range of industries and sizes, Symform found that nearly 20 percent of businesses have no clear security policies or standards around employee or departmental use of cloud. Of the 39 percent of IT organizations that say they are not using the cloud, 65 percent said they allow employees or teams to use cloud services and 35 percent allow employees to put company data in cloud applications.

"This research validates how cloud applications and services are being purchased and managed increasingly by non-IT departments and illustrates the need for IT to reclaim control from a policy and governance standpoint while still enabling the business to benefit from the cloud's agility and cost effectiveness," Dawson says. "I always advise IT leaders to be the centralized source of all IT policy, vendor criteria, compliance management and the definition of 'trust' for their organizations. Cloud usage is inevitable, but loss of control is not."

Employees Frequently Go Rogue When It Comes to Cloud

Even when organizations do have formal policies around cloud use, employees frequently make an end-run around IT. Symantec conducted a survey of 111 knowledge workers and 165 IT managers in November and found a significant disconnect between employee behavior and IT policy when it comes to cloud applications at work.

According to Symantec, even though the majority of IT managers report their organization has formal policies for cloud use, 71 percent of employees do not think there is a policy to control their use of cloud applications in at least one category (online email/communications, file sharing, online storage or backup, productivity apps or contact manager apps). And 28 percent of employees don't know of a policy for any of the categories.

No matter the type of cloud application, many employees say they never go around IT and use cloud applications outside of policy, but IT says it's much more common than employees admit. For instance, only 69 percent of employees admit they go rogue with cloud-based email/communications, while IT reports 88 percent of employees go rogue. Cloud-based storage or backup apps lead to some of the biggest discrepancies: 38 percent of employees admit to rogue use of such applications, while IT says 81 percent of employees engage in rogue use of those services.

Employees Don't Believe There Are Consequences for Rogue Cloud Use

Even employees that know of a formal policy think there are no consequences for policy violations. Symantec found that 76 percent of IT monitors cloud policies with manual audits or technology to watch for it, while 55 percent of employees do not think there is a policy or have no idea. Additionally, 81 percent of IT managers believe there are clear consequences for violations, while 49 percent of employees say their company doesn't have consequences for violating cloud policies or they just don't know.

Related: Why Marketing Departments Turns to Rogue IT-and How To Stop Them

"People are learning to get around the corporate rules," Dawson says. "People are still going around it. Organizations need to develop strong governance, develop strong policies and implement them. They need to make collaboration and access so easy that employees aren't going to go around them. To do that, you need to focus on where the data is going. Tracking and reporting is really vital."

For IT managers, the No. 1 concern and key criteria when evaluating the cloud was access controls. They also cite auditing and tracking, security of data in motion and at rest, vulnerability management and strong security service level agreements (SLAs) as key security criteria when evaluating cloud services.

Despite the gap between cloud utilization and security policies, Symform found that among respondents, cloud is gaining credibility as a safe place to store or use data. Fifty percent of survey respondents said they believe even sensitive data can be stored in the cloud. This aligns with the finding that data protection is the highest perceived benefit of using the cloud. Credit card data remains the exception: 70 percent of respondents would not put credit card data in the cloud.

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Thor at tolavsrud@cio.com

Read more about compliance in CIO's Compliance Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags business issuescloud applicationssymformcloud computinginternetsecurity policycloud policypersonnelIT Organization | CompliancesymantecsecurityCloudrogue cloudIT Organization

More about FacebookIT SecurityMicrosoftSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place