More Proof That Shadow IT is a Growing Issue

When talking with organizations about how the cloud can help them, I’m often told that cloud has no place in their organization and they’re not using it in any way, shape or form. They also point to the perceived security risks that cloud brings as their #1 reason for not using any flavor of cloud. My response is generally one of incredulity – I suggest to them that cloud IS being used within their organization, it’s just that they have no visibility over it. I also suggest that the perceived security failings of cloud may well pale in comparison to their own security limitations. In such instances it’s handy to have some concrete statistics to back up my assertions and hence it was interesting to see a recent survey from OneLogin that paints a fairly stark picture of the reality within organizations.

Some high level stats:

  • 71% of organizations say employees are using apps not sanctioned by IT
  • 72% say they have need to allow cloud app access to non-employees
  • 43% say they still use “sticky notes” or spreadsheets to track passwords
  • 78% of respondents plan to increase their use of cloud apps
  • Staggeringly, 34% share passwords with their co-workers for applications
  • 20% of organizations experienced an employee still being able to login after leaving the company
  • 48% of respondents are still not able to sign in to cloud applications with a single set of credentials

So, where to start on this one? Well, for a start it’s truly bizarre that such a high proportion of organizations admit the existence of rogue IT – clearly the barriers to sanctioned adoption are simply too high and that’s what is forcing people to access via work arounds. it is heartening to see that trend balanced by an organizational intention to roll out more cloud applications which will, in time, reduce the occurrence of rogue IT.

But it’s the password management responses that had me cringing. Nearly half of organizations use the fabled “sticky note approach” to password management? As an industry we really have a problem if this is the case. Sure complex password management is just that, complex. Sure integration with enterprise services like Active Directory can sometimes be something of a burden – but to resort to such an inherently dangerous way of managing password is simply bizarre. Doubly so when one considers the main reason enterprises often give for not adopting cloud solutions is the perceived security risk burden they’d have to accept.

While security is a complex and difficult subject – password security should not – single sign-on, integration with enterprise systems of record and the ability to collaborate with external parties around application should be the starting point for organizations and not some pie-in-the-sky aspirational goal.