How big a problem is shadow IT? Much bigger than you might imagine. A survey of more than 400 CIOs from around the world by Logicalis found that 90 percent of CIOs are bypassed by line-of-business staff when making technology-related purchasing decisions at least occasionally, and 31 percent are bypassed “very often” or “most of the time.” In addition, Cisco found that based its cloud consumption engagements with customers, “large enterprises on average use over 1,200 cloud services—over 98% of them are Shadow IT.”
Shadow IT can cause multiple issues in enterprises, including downtime, inefficiency, a lack of interoperability, maintenance woes, unnecessary spending and more. One of the most serious problems, though, is security. Holly Dale, security operations center director for the Armor security firm, writes in a blog “The Real Cost of Shadow IT,” “there are very real security concerns about technologies set up outside of normal IT processes.”
She warns, “From a compliance perspective, there are major concerns with shadow IT. Employees procuring and implementing their own software, systems or services invariably fail to implement even rudimentary security controls such as changing default passwords, patch management, log correlation, or security monitoring…A lack of compliance can cause ‘findings’ (noncompliance with regulations or procedures). This can lead to audit failures, possible decertification of the system, loss of company proprietary or critical data, or loss of public trust in the business.”
She concludes there are even worse security problems with shadow IT: “Systems and software placed on a network without IT/Security awareness will more than likely remain unpatched. This can easily result in vulnerabilities and entry methods for threat sources. Because logs for unknown systems likely aren’t sent to central correlation and aren’t regularly reviewed, intrusions or unauthorized access at these endpoints can go unnoticed for months, or might never be discovered at all! Without proper log distribution, such intrusions may not be exposed unless and until the intruder attempts to jump to other protected and monitored nodes or subnets.”
Christopher Frank add this warning in a Forbes article about shadow IT: “Data loss and downtime can happen if we download software or run a tool that might include a cryptolocker and start to encrypt files across the file server.”
The security issue is only getting worse. Gartner estimates, “By 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.”
How to Protect Against Shadow IT Security Dangers
All this doesn’t mean that companies should try to eliminate shadow IT. Line-of-business experts, citizen developers and others outside IT help spur digital innovation, as does the use of cloud services. So instead, companies should, in the words of Gartner, “find a way to track shadow IT, and create a culture of acceptance and protection versus detection and punishment.”
Alpha Software can help. Alpha TransForm technology can help IT lock down mobile forms without slowing down the business. And it can integrate apps created by business users into the existing databases and workflows IT organizations have already invested in and secured. Alpha TransForm also provides a method for business users to develop new, secure business apps in minutes -- with higher performance, faster UIs for end users, and richer data capture capabilities (offline operation, data lookup and validation, large data storage, GPS, audio/image capture and more).
For details about how to secure your business apps and keep your security and data policies in place, connect with Alpha Software.