cloud usage report 2015
TRANSCRIPT
Introduction
Methodology
Executive Summary
Cloud Application Usage in the WorkplaceIs a lack of communication and education to blame for the rise of Shadow IT?Employees want to use applications that help them do their jobIT departments are underestimating the risks Shadow IT posesThe problem with too many cloud applicationsAge plays a pivotal role in the growing threat of Shadow IT
Conclusion
Top Tips to Mitigate Shadow IT
Cloud Usage & Risk Analysis
About Trustmarque
Table of Contents
3
4
5
666788
10
11
12
13
2
With cloud application usage rapidly growing in many businesses, the emergence of Shadow IT is placing a greater strain on IT departments. Increased use of cloud services has heightened security concerns, with the number of data breaches tripling in recent years.1 So are organisations managing the risk of Shadow IT effectively, or are they at increased risk from new threats?
Trustmarque has commissioned an independent survey to explore trends in cloud usage from an employee perspective, looking at application usage and organisational policy.
1 Netskope and Ponemon Institute, “Data Breach: The Cloud Multiplier Effect in European Countries’” (2014)
Introduction
3
A sample of 2,016 adults were interviewed across Great Britain via an online survey in November and December 2014. The sample is weighted to represent the full and part-time workers between the ages of 16-64, providing a detailed overview of cloud application usage in UK organisations.
Methodology
4
TNS is one of the largest research agencies worldwide. TNS provides actionable insights that help make impactful decisions that drive growth. TNS are part of Kantar, one of the world’s largest insight, information and consultancy groups.
The multi-device, tech-savvy office workforce of today is causing major issues for IT departments. Despite organisations becoming more effective at integrating and providing access to applications and support for devices, IT departments are continually underestimating the magnitude of the potential threat posed by Shadow IT.
Employees are becoming an integral part of the Shadow IT problem, using more applications than ever before. To combat this, some IT departments are using network perimeter technologies to limit the usage of certain cloud applications.
However, office workers are increasingly finding ways around the blocks enforced by IT departments. With 90% of usage in cloud applications being from those blocked by perimeter technologies,2 existing policies are becoming increasingly outdated and ineffective.
As mobile and cloud emerge as the defining threats to IT security,34 trends suggest that organisations are failing to keep on top of new technologies and employee workarounds.
With nearly 9 out of 10 applications used in organisations not being enterprise-ready5 and 84% of employees unaware of organisation-wide cloud usage policies, IT departments are struggling to adapt their infrastructure and policies to meet the demands posed by new technologies.
2 Netskope Cloud Report April 20143 ZDNet, “10 top security threats of 2014 (so far)”4 CNBC, “Top 5 cybersecurity risks for 2015”5 TechRadar, “How to ensure that shadow IT doesn’t put your data at risk in 2015”
Executive Summary
5
Is a lack of communication and education to blame for the rise of Shadow IT?
Despite organisations having clear policies in a number of different departments, be it the hiring process in HR, or expense reporting for finance, it appears some IT departments are struggling to replicate this due process. IT managers continue to be stuck between a rock and a hard place when it comes to managing cloud applications across the business.
As the research shows, this has led to a considerable lack of clarity when it comes to implementing and enforcing cloud usage policies, with 84% of office workers surveyed stating that their organisation has no cloud usage policy or that they are unsure whether such a policy even exists (Figure A).
This lack of clarity may lead to employees misinterpreting company policy and exposing the organisation to data security breaches.
Employees want to use applications that help them do their job
As the line between home and work becomes increasingly blurred with the growth of bring-your-own-device (BYOD) policies across organisations, so has the use of personal and work applications.
40% of cloud users admitted to using applications that have not been sanctioned or provided by IT (Figure B). Most notably, many of the unsanctioned applications used by employees, such as Evernote and Dropbox, are designed to increase productivity and improve collaboration.
A significant number of cloud users are turning to these applications (27%, Figure C), because corporate IT is failing to meet their needs. For example, email attachment limits and limited data storage facilities force users to use file sharing and personal cloud storage applications that allow them to access their documents anywhere, at any time.
Cloud Application Usage in the Workplace
6
Figure A: Does your organisation have a cloud usage policy?
28%Don’t Know
16%Yes
56%No
Office Worker Cloud Usage & Risk Report
IT departments are underestimating the risks Shadow IT poses
The introduction of new devices and applications into organisations has had far-reaching consequences for IT departments. Many organisations have struggled to provide support to the security challenges posed by new technologies, due to having little knowledge of the applications and devices being introduced.
With 1 in 5 cloud users admitting to uploading sensitive company information, such as contracts, sales forecasts and customer information, to a file sharing or personal cloud storage application (Figure D), and nearly half of office workers ignoring known cloud usage policies (Figure E), it appears that IT departments are struggling to fully comprehend the risks associated with Shadow IT.
7
Figure B: Do you or have you used applications that haven’t been explicitly sanctioned or provided by IT?
60%No
40%Yes
Figure C: Have you taken to using such applications and services to get round the restrictions of corporate IT?
73%No
27%Yes
Figure D: Have you ever uploaded sensitive company information to a file sharing or personal cloud storage application?
80 %No
20%Yes
Figure E: Have you ignored a cloud usage policy because it restricted you from being able to do your job effectively?
52%No
48%Yes
Office Worker Cloud Usage & Risk Report
Office Worker Cloud Usage & Risk Report
The problem with too many cloud applications
As the number of cloud applications used in enterprises continues to grow at a rapid pace, many organisations are falling victim to cloud sprawl - making it hard for IT departments to know how many applications are in use within the organisation.
Due to the vast number of applications in place, organisations are finding it difficult to consolidate and standardise cloud applications across the business. Part of the problem lies with employees, with 27% of cloud users having downloaded cloud applications that they no longer use (Figure F).
Age plays a pivotal role in the growing threat of Shadow IT
Cloud users who fell into the age category 16-34 were more likely to flout company policies and risk data security. Data security is a particularly worrying trend with the younger age demographic. 40% of 16-34 year olds surveyed admitted using cloud applications and services to save and access data from their previous job (Figure G).
8
Figure F: Have you downloaded cloud applications that you no longer use?
73%No
27%Yes
60%No
40%Yes
Figure G: Have you used applications and services to save and access data from your previous job? [16-34 Demographic]
Office Worker Cloud Usage & Risk Report
Office Worker Cloud Usage & Risk Report
More than a third (34%) of 16-34 year olds ignored a cloud usage policy because it restricted them from doing their job properly (Figure H). Moreover, 3 out of 10 cloud users surveyed between the ages of 16-34 admitted to using file sharing or personal cloud storage applications to upload sensitive company information (Figure I).
It appears that IT departments are struggling to respond to the increasingly tech-savvy younger officer worker and cloud user. Restrictions and blocks put in place don’t appear to be working, with more than a third (36%) of 16-34 year old cloud users actively using applications and services to avoid the restrictions of corporate IT (Figure J).
9
Figure H: Have you ignored a cloud usage policy because it restricted you from being able to do your job effectively? [16-34 demographic]
66%No
34%Yes 52%
No
48%Yes
Figure I: Have you ever uploaded sensitive company information to a file sharing or personal cloud storage application? [16-34 demographic]
64%No
36%Yes
Figure J: Have you taken to using applications and services to get round the restrictions of corporate IT? [16-34 demographic]
Office Worker Cloud Usage & Risk Report
Office Worker Cloud Usage & Risk Report
The growth of cloud applications usage shows no sign of slowing down, meaning that security and compliance concerns will continue to grow.
For IT departments, the ongoing challenge is maintaining an environment that supports employees’ changing working practices, but at the same is highly secure.
A blanket approach towards blocking unsanctioned applications can often be unrealistic. Therefore, IT departments need to be able to address Shadow IT in a strategic and proactive manner – this means empowering employees to use their favourite cloud applications while protecting the organisation from data loss and network threats.
IT departments need to be able to analyse the activities that pose the greatest risk (e.g. sharing data outside the company) and block them specifically to mitigate risk. To do this, real-time visibility into how every cloud application is being used is essential.
Offering alternatives that meet industry compliance but deliver the same functionality as unsanctioned options, combined with providing a more open dialogue between IT departments and the workforce, can empower organisations – only then can they enforce smart usage policies and foster safe cloud application practices.
10
Conclusion
11
Understand the applications:
Discover which Cloud applications are being used in your IT environment. For higher risk applications, particularly those you don’t procure and administer, you will need to take steps to evaluate how these applications are being used in your organisation. You have to assess their risk and consider: How are they used? Do they deal with sensitive data? If they are dealing with sensitive data you may need to place limits on sharing activities or select lower risk options for the business.
Track application usage:
Understand what people are doing with the Cloud applications within your organisation. For heavily used applications, you need to identify the activities (e.g. sharing, downloading) and assign each activity a risk level. Once you identify the applications which employees are using to perform high-risk activities, you need to set policies to block any high-risk activity. You can also set a baseline to detect anomalous behaviour, such as excessive downloading, spikes in usage, and logins from unusual locations.
Block activities, rather than applications:
A blanket approach to blocking applications is unrealistic and prevents workers from true productivity gains. Rather than blocking applications en masse, you should look to analyse the activities that pose the greatest risk (e.g. sharing data outside the company) and block them specifically to mitigate risk. Do this for both the applications you manage and those you don’t.
Educate co-workers:
If you have to block certain activities, be sure to tell the users why this particular action has been taken. By teaching them about policy enforcement, it will encourage them to use their favourite applications safely and address the risk together.
Offer a substitute:
Sometimes particular applications do put the business at risk and require blocking. If this is the case, you can suggest alternative applications, which share similar features but pose less risk to the business. Inform staff as to why the application puts the business at risk and offer a solution, acting as a problem solver rather than an obstacle.
These sanctions and measures will enable you to take a strategic approach to employee Cloud adoption and meet the needs of users whilst keeping the organisation secure and in control.
Top Tips to Mitigate Shadow IT
12
Cloud Usage & Risk Analysis
Take control of your cloud – view our Cloud Usage and Risk Analysis video:
Empower secure Cloud usage in your business
Private Cloud (Hosting Service)
IAAS (Public Cloud)
Hybrid Cloud Integration
DAAS
Cloud Advisory Service
Cloud Solutions
We empower businesses with tailored Cloud solutions to meet individual
organisational needs
Discover
Discover all the Cloud apps running in your
environment, whether they are approved or not, on-premises or remote and
on any device.
Visibility & Analysis
Explore in-depth Cloud app usage details providing a
comprehensive audit trail, allowing you to see who is sharing content outside of the company, for example.
Policy Enforcement
Enforce smart, personalised, granualr
policies that protect your organisation in real-time on an enterprise scale.
Trustmarque is a leading provider of end-to-end IT services to the UK public and private sectors; including software solutions, cloud, professional and managed services. At Trustmarque we give honest, simple and independent advice that helps customers navigate an increasingly complex world of IT.
We simplify business, through a flexible and cost-effective approach that empowers organisations and their people. With over 27 years’ experience at the heart of the rapidly evolving IT market, Trustmarque has established a position as a leading technology provider to high profile clients from the private sector, UK government and healthcare organisations.
For more information about Trustmarque visit www.trustmarque.com, call 0845 2101 500, or email [email protected].
About Trustmarque
13