The greatest violators of IT cloud security policies: top executives

Shadow IT -- the use of personal devices and cloud applications in the workplace -- is only expanding. Education and awareness about cloud security needs to be ramped up.
Written by Joe McKendrick, Contributing Writer

It's tough enough to keep tabs on and enforcing policies regarding shadow IT -- employee-owned devices and cloud applications being brought into the workplace. The fact that the CFO is doing his or her own thing with Dropbox doesn't make it any easier. 

That's one of the conclusions of a recent survey of 1,300 corporate IT users, which sought to better understand employee habits regarding shadow IT.  The survey, conducted by Nasuni, found widespread use of cloud-based services, even in organizations with prohibitive policies regarding use of outside services for corporate data.

The survey zeroed in on adoption of Dropbox, the cloud-based storage and file-sharing provider. The survey report's authors described the goals of their survey thusly: "it is commonly understood that people use Dropbox to share personal photos, videos and documents. The question is – how many people are using Dropbox for work? And, perhaps more importantly, do organizations have a clear view into who is using Dropbox?"

It's no surprise that the survey sponsor, Nasuni, has a self interest in publishing these results, as the vendor is a provider of enterprise storage to large organizations. But the findings are a worthy reminder that the proliferation of shadow IT -- be it the use of cloud applications or devices -- carries some risk. (And, contrary to Nasuni's dark warnings, there are advantages to business users having instant, on-demand access to cheap, ubiquitous technology resources, but that's the subject of another post.)

The Nasuni survey finds that across the board, at least half of the respondents use Dropbox in their organizations. Dropbox usage is partcularly strong within universities, service firms, and manufacturers. Marketing and engineering departments tend to be the leading Dropbox adopters.

The report cautions that in many cases, corporate information is stored within personal Dropbox accounts. Nasuni pegs this number at 1 out of every 5 respondents. "In the process of leveraging file-sharing services, users are storing files outside of the managed IT infrastructure in a solution that does not provide enterprise class security or control," the report adds.

In fact, the survey also found that half of employees use these cloud file-sharing and storage services -- even though they are aware that their employer has a policy against it. And guess who are the worst violaters of these policies?  Yeah, the top executives. As the study finds, VPs and directors are most likely to use Dropbox despite the risks. 

The problem likely won't go away anytime soon, as it is being fueled by mobile technology. About 58% of respondents with a personal mobile device say they resort to using their own device to access work files because the company does not provide the tools they require. Dropbox usage is prevalent in the mobile world as well; after e-mail, it is the most common tool used for accessing work files on a mobile device.

As the number of devices grows, the use of Dropbox and shadow IT will simultaneously increase to meet the demands of new users. Twenty-five percent of survey respondents plan to have an additional smart phone or tablet before the end of the year. This rapid growth of mobile devices will naturally drive demand for accessing work files; 73% of respondents who are planning to acquire a new device say they will use the device to access work files.

Tougher enforcement and governance is not the best way to contain any negative effects from shadow IT -- besides, who's going to go in and reprimand the CFO or CIO? Instead, Nasuni recommends more deliberate efforts at education and training. For example, the survey data shows that almost half of all respondents do not know the company policy on accessing file-sharing services, indicating that these companies either do not have policies or have not effectively communicated the policy to users.

Even those organizations that have educated their users about corporate IT policies seem to not have done a very good job of addressing the problem with shadow IT either. The survey finds that 49% of users do not follow IT policies even when educated about the policy.

Editorial standards