Shadow IT is a term used by IT professionals to describe IT systems and solutions used by employees without organizational approval. Frost & Sullivan conducted a study, sponsored by McAfee, on how Shadow IT impacts an organization’s security posture. The non-approved applications covered in the study are directly linked to work-related solutions; the study doesn’t cover employees’ personal Internet usage on company time.

Employees who responded to the survey came from sizable companies -- two-thirds from companies with 1,000 – 10,000 employees, and one-third from companies with more than 10,000 employees. The following is a continuation from Shadow IT: Trends Impacting Your Security Posture:

Risky Popular Apps

Shadow IT surpasses most popular SaaS categories, which include:

• 15% Business Productivity Apps -- including Microsoft Office 365 and Google Apps.

• 12% Social Media Apps -- led by LinkedIn and Facebook.

• 11% File-sharing, Storage, and Backup Apps -- including Dropbox and Microsoft SkyDrive.

Consequently, the following threats have impacted organizations due to unsecured Shadow IT apps (apps used by organizations with over 1,000 employees):

• 45% use Facebook
  • 35% of users have experienced a security event
  • 19% were infected by malware

• 40% use Google Apps
  • 17% of users have experienced a security event
  • 27% have leaked sensitive data

• 36% use Dropbox
  • 16% of users have experienced a security event
  • 24% unauthorized access events occurred

On average, 15% of employees have experienced some sort of a security, access, or liability event while using SaaS applications.

Recommendations

Frost & Sullivan and McAfee have several recommendations for businesses dealing with Shadow IT.

• Establish a SaaS Policy -- Innovative organizations prefer empowering their employees to find creative solutions to business problems. Establish a broad, SaaS policy that is aligned with your business objectives.

• Ditch the Dictatorship -- Welcome new ideas from employees. Don’t block popular SaaS applications outright. Employees are simply attempting to get their work done as efficiently and effectively as possible.

• Be Inclusive, Not Exclusive -- Don’t force your employees to only use the applications you have approved. Build your policy around a security solution that enables employees to securely access a broad range of reputable SaaS options. You can also control risk-prone applications by looking for solutions that offer policy-based control. For example, you can allow employees to access Facebook but you may want to restrict the “chat” function. You can also automatically encrypt files before employees upload them to file-sharing sites such as Dropbox or SkyDrive.

• Protect Employees and Corporate Data -- This critical step involves implementing a security solution that transparently enables secure access to SaaS applications. This security solution would also protect against malware and prevent data loss. McAfee Web Gateway can track all web traffic, provides malware protection, blocks suspicious URLs, prevents outbound leakage of sensitive data, and enforces acceptable usage policies.

With over 80% of employees admitting to using non-approved SaaS in their jobs, it may be too late to limit SaaS usage in your business. Rather than restricting the use of SaaS, your goal should be using a security solution that can balance between enabling employees to use the tools that help them do their jobs better while not compromising your organization.  Click here to view the McAfee, Frost & Sullivan full report.