When it feels like you’re the only one to appreciate the dangers of unchecked cloud app use, it’s easy to think there’s no way of managing the situation. Do you feel that it’s a lost cause?
The worst offenders
If you find yourself at this stage of the app acceptance process, it’s likely you’re highly aware of a) what unchecked app use can mean for the business, and b) your employees’ blatant disregard for any policies you’ve put in place in an attempt to control app usage. Rightly or wrongly, this circumventing of the rules – a common symptom of shadow IT – is probably causing you a lot of frustration, even animosity, towards the worst offenders.
This lack of control is probably one of the biggest drivers of anger in the IT department. Maybe you feel like the Dutch boy plugging the leaking dyke with his finger: as soon as you deploy one sanctioned app or enforce a policy, another unsanctioned app or workaround springs up somewhere else? Employees’ use of cloud apps outside of the secure circumstances you’ve created causes you extra work, hassle and stress. Without tools like a cloud access security broker to give you full visibility into what everyone is doing, it’s impossible for you effectively to protect the business from attack or data loss. The flood is coming, and you’re running out of time…
A third (33 per cent) of respondents to our survey were concerned that employees would take advantage and use inappropriate or insecure apps within the workplace. When asked which department they felt had used cloud apps without permission, IT decision makers pointed fingers at the operations team (34 per cent), sales team (31 per cent) and HR department (27 per cent) as the worst offenders. Worryingly, these teams are perhaps the most likely to be dealing with customer and employee data, including personally identifiable information (PII).
Driving further frustration, 27 per cent said a lack of understanding at board level about what cloud apps could achieve gave them the most concern about app use. This disconnect with the board is not only frustrating, but could be holding back the business.
At the end of the day, it’s you who will be hauled in front of the board if a cloud app is compromised and company data goes walkabout as a result. Well, that doesn’t seem fair, when that same board wouldn’t listen when you told them the extent of the app problem within the organization!
A recent survey of nearly one thousand Institute of Directors (IoD) members showed the extent to which business leaders are exposing organizations to cyber attack: 91 per cent of business leaders said that cyber security is important but only around half (57 per cent) have a formal strategy in place to protect the organization. What’s more, only a fifth (20 per cent) of respondents hold insurance against an attack. Despite CIOs’ best efforts to raise awareness at board level on the importance of preparing for data breaches, executives seem to be failing to understand the potential (huge!) consequences.
So, how do we lower your blood pressure, get the board on board and create a general feeling of Zen when it comes to cloud app usage and cloud security within the business?
Step 1: Take back control. Gaining visibility and control over what employees are doing in the cloud is imperative. Find out the extent of the problem by running a full audit with a tool like a CASB into cloud app use across the organization.
Step 2: Ensure employee buy-in. Employees don’t use cloud apps to be malicious or to cause you stress, they’re just trying their best to get a job done efficiently. If you lock down access to apps, users get annoyed and ‘hey presto’ – workarounds appear and shadow IT materializes. So talk to your users to gain an understanding about what apps they want to use, and coach users towards safer app use by explaining their responsibilities around securing the business and its data.
Step 3: Remember you are not alone – at times it can feel like it’s you against the world, so it’s often good for your sanity (and blood pressure) to remind yourself that every company is going through this same evolutionary process. There are a ton of great resources out there and experts waiting to help you along the journey. So track down those free stress balls from years of InfoSec attendance, keep counting to 100, and get started on that data audit.