A new study shows that non-approved SaaS (software-as-a-service) applications may be more pervasive in the workplace than IT departments realize.
According to the study, which was performed by Frost & Sullivan and sponsored by McAfee, more than 80 percent of the 600 respondents use non-approved SaaS applications in their jobs – and IT employees are the worst offenders. When compared to line-of-business users, IT professionals (83 percent) were slightly more likely than others (81 percent) to use unapproved SaaS applications.
The cloud makes it easy for employees to deploy these applications on their own. Referring to these apps as ‘Shadow IT’, the report urges organizations to abandon the idea of simply restricting the use of SaaS applications and instead focus on finding the balance between security and enablement.
“With over 80 percent of employees admitting to using non-approved SaaS in their jobs, businesses clearly need to protect themselves while still enabling access to applications that help employees be more productive,” said Pat Calhoun, general manager of network security at McAfee, in a statement. “The best approach is to deploy solutions that transparently monitor SaaS applications and other forms of web traffic, and uniformly apply enterprise policies, without restricting employees’ ability to do their jobs better. These not only enable secure access to SaaS applications, but can also encrypt sensitive information, prevent data loss, protect against malware, and enable IT to enforce acceptable usage policies.”
Overall, 35 percent of all SaaS applications used within the enterprise are non-approved. The most popular unapproved app is Microsoft Office 365 (9 percent), followed by Zoho (8 percent), LinkedIn (7 percent) and Facebook (7 percent). Thirty-nine percent of IT respondents use unauthorized SaaS apps because “it allows me to bypass IT processes,” and 18 percent said IT restrictions “make it difficult to do my job.”
The security problem Shadow IT poses however is quite real – on average, 15 percent of users have experienced a security, access, or liability event while using SaaS
“There are risks associated with non-sanctioned SaaS subscriptions infiltrating the corporation, particularly related to security, compliance, and availability,” said Lynda Stadtmueller, program director of the Cloud Computing analysis service within Frost & Sullivan’s Stratecast division, in a statement. “Without appropriate knowledge, non-technical employees may choose SaaS providers or configurations that do not measure up to corporate standards for data protection and encryption. They may not realize that their use of such applications may violate regulations concerning handling and storage of private customer data, leaving the company liable for breaches.”