The Biggest Cloud Security Risk Lurking in Your Company’s Shadow IT


Written by Lara White

There’s a growing awareness around the cloud security issues caused by shadow IT, and a growing sense among enterprise information security and regulatory compliance experts that shadow IT is a problem that needs to be cloud security But reality hasn’t quite caught up to the experts’ opinion, as our 2014 Cloud Adoption & Risk Report for North America & Europe shows: a whopping 88% of cloud applications at North American companies and 82% at European companies are shadow IT, with just about every application category represented! Check out our Top Enterprise Security Issues infographic for more stats.

As you consider the next steps you must take to get your organization’s shadow IT problem under control, make sure you understand what the biggest cloud security risk of your company’s shadow IT is. In short, it’s the employees who use shadow IT.

At the end of the day, after all, no unsanctioned cloud app (no matter how unsecured) can be blamed for an enterprise data breach. The ultimate responsibility lies with the employee who self-provisioned an unsecured cloud app and placed sensitive data in it. The biggest cloud security risk of shadow IT is the employee.

Employees are the ones who choose to:

  • Adopt unsanctioned shadow IT applications without a clear understanding of the company’s cloud data security and regulatory compliance challenges and requirements
  • Adopt unsanctioned shadow IT applications with data centers whose locations conflict with company cloud data residency requirements and policies, or that fail to meet Safe Harbor requirements in the event of a breach
  • Place sensitive, unencrypted data in unsanctioned shadow IT applications outside of IT’s visibility or control
  • And inappropriately share sensitive corporate data using shadow IT channels unmonitored by corporate DLP tools

For these reasons, enterprises hoping to rein in shadow IT and enable more secure, controlled, and IT-managed cloud computing for their employees must first look to the ways that employees themselves create cloud security risks, and find ways to prevent them from doing so.

When it comes to shadow IT, the best approach is to begin by understanding why employees choose the risky path of unsanctioned cloud applications. In just about every case, employees adopt shadow IT because they find their company’s IT-sanctioned solutions inadequate for their needs or too difficult or unreliable to depend on. Stemming the tide of shadow IT will require organizations to give their employees better options: applications that will meet their needs, eliminating the perceived need to circumvent the official solution, but that provide enough visibility and control to satisfy corporate data security and compliance requirements.

Of course, enabling a more secure cloud environment for an enterprise can be a long, multi-stage process, and in the meantime, many shadow IT risks may continue to exist. To minimize those, think again from the employee point of view. In most cases, an employee who adopts shadow IT hasn’t done so to spite the IT department. In fact, most employees may not even be aware that what they’re doing puts corporate data at risk. Not everyone works in the IT department, after all. The sales team isn’t expected to understand the ins and outs of corporate data security and regulatory compliance. Nevertheless, perhaps these employees should receive a crash course in the basics. Once they understand the potential consequences of adopting shadow IT, they will likely be less eager to do so. In this case, knowledge truly is power.

Are you ready to tackle the shadow IT problem at your organization? If you’re looking for more information, start with our 2014 Cloud Adoption and Risk Report to see the trends affecting North American and European businesses.