December 11, 2013 by Canadian Underwriter
More than 80% of employees included in a recent survey admitted to using non-approved software-as-a-service (SaaS) applications in their jobs, according to a study from IT security firm McAfee.
Perhaps surprisingly, IT employees use a higher number of unapproved applications than other employees, suggest results from the study, conducted by Stratecast for McAfee. Cloud technology has made using such apps even easier for employees, without assistance from the IT department, McAfee notes.
The firm calls these non-approved applications “Shadow IT,” which it says is “the use of technology solutions within an organization that have not been approved by the IT department or obtained according to IT policies.”
Overall, nearly 35% of all the SaaS applications used are non-approved, according to the study.
“With over 80% of employees admitting to using non-approved SaaS in their jobs, businesses clearly need to protect themselves while still enabling access to applications that help employees be more productive,” Pat Calhoun, general manager of network security at McAfee commented in a statement on the survey results.
“The best approach is to deploy solutions that transparently monitor SaaS applications (and other forms of web traffic) and uniformly apply enterprise policies, without restricting employees’ ability to do their jobs better. These not only enable secure access to SaaS applications, but can also encrypt sensitive information, prevent data loss, protect against malware, and enable IT to enforce acceptable usage policies.”
Microsoft Office 365 was the top unapproved SaaS application (9% of respondents), followed closely by Zoho (8%), LinkedIn (7%) and Facebook (7%).
On average, 15% of users reported having experienced a security, access, or liability event while using SaaS, according to the study.
Among IT respondents, 39% said they use unauthorized SaaS because, “it allows me to bypass IT processes,” while 18% agreed that IT restrictions “make it difficult to do my job.”
“There are risks associated with non-sanctioned SaaS subscriptions infiltrating the corporation, particularly related to security, compliance, and availability,” Lynda Stadtmueller, program director of the Cloud Computing analysis service within Stratecast added in the statement.
“Without appropriate knowledge, non-technical employees may choose SaaS providers or configurations that do not measure up to corporate standards for data protection and encryption. They may not realize that their use of such applications may violate regulations concerning handling and storage of private customer data, leaving the company liable for breaches.”