IT pros share blame for 'shadow IT' problem, survey shows

When end users circumvent the IT department and start using software-as-a-service (SaaS) applications without permission, the IT pros complain about the plague they call "shadow IT." But it would seem the professionals are also operating in the shadows, according to a survey out today.

The report entitled "The Hidden Truth behind Shadow IT," was a collaboration of consultancy Frost & Sullivan and McAfee. The survey asked 300 IT pros and 300 line-of-business employees whether they used SaaS applications in their jobs without official approval. Eighty percent admitted they did, with only 19% of the business employees and 17% of IT claiming to be innocent.

Background:Does "Shadow IT" lurk in your company?

The idea of the threat of "shadow IT" has grown with the expanded use of cloud-based applications that can easily and often cheaply be brought into use without the IT department knowing about it all, much less approving SaaS based on security policies.

For the IT department, the reaction has often been, "Oh poor IT, if we could only stop the employees from doing this," says Jennifer Geisler, senior director in McAfee's network security division.

Of the IT pros admitting complicity, 42 percent said they do it because they are "familiar" and "comfortable" using such services. A third said the "IT approval process for new software applications is too slow or cumbersome," echoing the line-of-business managers. A quarter said the non-approved software "better meets my needs than the IT-approved equivalent."

The favorite types of non-approved SaaS applications for all 600 of the survey's respondents were related to business productivity, social media, file-sharing, storage and back-up. The most popular non-approved SaaS applications included Microsoft Office 365, Google Apps, LinkedIn and Facebook, Dropbox and Apple iCloud. Many even said they were planning to increase this non-approved usage for things such as data storage related to ERP systems and financial and legal departments.

The report also indicates that these employees readily acknowledge the risks and liability in what they are doing.

Just under half cited strong concern about the potential for data exposures, theft, or simply not being able to get the data back from the cloud application. Twenty-two percent admitted they had already experienced some security incident with social media, while 16% pointed to a security-related incident in file-sharing, backup or storage.

"Despite their experiences of deep concern, more than 80% of respondents presumably feel justified in continuing to use non-approved services without ensuring that protective IT policies are applied," the survey report states. There's the sense that "the end justifies the means," the report notes.

What, if anything, can be done about "shadow IT," especially since IT employees as much as any others may be implicated in it all?Geisler says the first step is nailing down policies, with the chief information security officer setting the tone in terms of confronting the need to use SaaS in a way that satisfies compliance and security requirements. Technologies for monitoring and controlling SaaS can also be applied, but trying to shut down SaaS entirely is hardly feasible. SaaS is often a creative way to do business, especially with younger employees, the report notes. But those in charge of IT security have to set up viable ways to control passwords, identity and access management, encryption, and data-loss prevention, for example, as part of SaaS usage. With IT personnel confessing they are part of the "shadow IT" problem, Geisler suggests, the IT department "can no longer just point the finger" at the rest of the company.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags mcafeeFrost & SullivansecurityWide Area Network

More about AppleDropboxFacebookGoogleIDGMcAfee AustraliaMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place