The Road to Hell is Paved with Your Employees’ Best of Intentions

Road to Hell

It’s done with the best of intent. They just want to get the job done. It’s a simple, small purchase. Setup is quick and easy, and they don’t need to talk to us, your I.T. support to get it installed.

But the “shadow cloud” can be a threat to your company security and the integrity of your business information, and it may be costing you money you don’t need to spend.

The cloud, on its own, is just the internet. It’s everything existing outside your company, out there on the networks which are the internet. Cloud applications are the programs and software that you use by getting on the internet and logging in to a site. The information is accessed and stored on the internet. Gmail, Dropbox, your online backup, DocuSign, and even games like Fortnite and social media networks like Instagram are all part of the cloud.

What’s in the shadow cloud? All those services and online software subscriptions that your employees have signed up for to solve their problems, without even bothering you about these tiny details. Very entrepreneurial. Even admirable! They don’t know it, but it really can put you, your company, and your clients at risk.

This isn’t the “dark web” we’re talking here. Shadow cloud is the same cloud (there’s really only one “cloud”), it’s just that these programs may be used without your explicit knowledge or without I.T. knowing. It’s the implementation of these online services and apps that remains in the “shadow” and not the quality of the application, per se.

While we don’t want to have a stranglehold on your employees or the tools they use, we do want you to know what the pros and cons are and how using the cloud can expose you and your company to risk and added expense.

Everyone is Doing it, Even I.T. Departments

It’s a common practice. McAfee conducted a survey of I.T. employees and business managers and found that 80% of them had used cloud applications that had not been approved by I.T. – their own department! Why would they do this?

  • Convenience: If an employee needs something right away, extra storage for example, they can get it immediately.
  • Frustration: These companies may have restrictive or annoying I.T. approval processes and the employees will sneak around them to get things done.
  • Preference: An employee may be used to a certain tool from a previous job or from their own personal use and choose to use that application instead of having to learn a new one.
  • Policy: There’s not company policy either for or against using cloud applications, approved or unapproved, so they’re just doing what they are used to doing.

Why Is It Risky?

On one hand, the cloud is a fantastic opportunity to find software and services that are fairly customizable, flexible, and in many cases, inexpensive. Cloud applications are a creative and quick solution for your employees who need digital tools.

The problem is that this can create issues with data security, transaction security, backup, and continuity. For example, if they’re creating documents in Google storage but not making any sort of contingency for accessing that work if they were to leave the company or get really sick, your company data is in the hands of that particular employee and their user credentials. Not a good idea.

Are you in healthcare? There are regulatory issues with HIPAA, PCI, and other laws on how your data should be handled. Not all cloud storage is considered a secure location. And just because they say they’re HIPAA-compliant does not let you off the hook for the security of patient data.

Not in healthcare? You could be even worse-off. At least there are guidelines for being HIPAA-compliant. If you’re unregulated like that, you are subject to some lawyer’s whims as to what you may be liable for.

How Cheap Services Get Expensive

Online SaaS (software as a service) is cheap and easy. QuickBooks online, for example, starts at $10-$20 a month. Additional Google Drive space is a couple bucks a month, and even Microsoft 365 is only five bucks to start. It’s only a small amount.

But if this becomes a company-wide practice, with a lack of control and no coordination, the total cost to the organization may be more than it would from a centralized, shared account or even an enterprise-level subscription.

Employees may find it annoying or slower than going out on their own. However, funneling requests through I.T. or coordinating through one department will save money if you can consolidate, manage or even have I.T. create better solutions to manage your needs.

Control the Risks

You should add at least put a basic guideline for cloud applications into your I.T. policy. This lets employees know you appreciate the benefits (convenience, quickness, etc.) they are looking for from the cloud, but makes sure they understand the downsides.

Next, take an inventory survey of your employees to find out what they may be using. It’s going to require some old-fashioned detective work in talking to your employees. You’ll also want to search your network for installed applications. Many employees install an app and immediately forget they’ve done so, especially if they only used it once or twice for a particular purpose. Don’t rely on everyone’s memory or disclosure.

They may not realize that the little photo manager tool they log in to is putting your network at risk. Or that you’ve got a triple-backup system and that storing documents in the cloud leaves their information out of that system. And they maybe didn’t ask around to see if other employees or departments are already paying for the very same service.

It takes a seasoned and open-mined I.T. leader to help craft your policy. That person can also search your networks for any cloud services which may be putting your system at risk. Most importantly, they can help you implement cloud technologies that actually help your entire organization, instead of one employee who just wants to get some work done.

NOTICE

EXEMPT FROM STAY-AT-HOME ORDER

As part of the Nation's Critical Infrastructure
JIT Outsource is EXEMPT FROM EXECUTIVE ORDER N-33-20
And shall continue operations by way of exceptions found at
https://www.cisa.gov/identifying-critical-infrastructure-during-covid-19