54 per cent of respondents to a survey said that their IT department is involved in the adoption of new technologies for end users, including cloud-based services.
The survey of 1,000 IT security professionals by Intralinks and the Ponemon Institute found that 49 per cent of respondents believe their company lacks clear visibility into employees’ use of file sharing/file sync and share applications, while 51 per cent are not convinced that their organisations have the ability to manage and control user access to sensitive documents and how they are shared.
Speaking to IT Security Guru, Larry Ponemon, chairman of the Ponemon Institute said that a lot of decision making on services and technologies and what should be restricted and require permission is done at the business level, and not the IT function.
“I consider that to be part of the Shadow IT paradigm where businesses have shifted, as IT have a role to play but less a command and control where permission is needed and basic decisions are flowing more and more outside of IT,” he said. “Although IT does have a role, if we did this study four or five years ago, I would assume IT would be much more involved in selecting applications that are acceptable to use, restricting those that are not and whitelisting them.”
Ponemon commented that the loss of control is “trending downwards”, but there is a role for IT to play as there are more and more serious malware attacks and security breaches, maybe IT can regain some of its prominence.
Of the senior level respondents, 44 per cent did not believe they had the ability to manage and control user access to sensitive documents and how they are shared. Among respondents who do have that ability, their confidence in asserting it was mixed.
Ponemon also said that this was trending downwards, and there is no question that people are doing more stuff with information and creating more stuff, and as a result, it was harder to control access as there are too many things that you have to worry about.
He said: “How do you determine that a particular employee who has access to a file and the role changes, can you change access? It is very complex and a large percentage of access rights and permissioning is in control of those who do this for a living. They are regulated by the youth but in general it could be a security risk.”
He commented that a lot of organisations work on an “ignorance is bliss” attitude, and aim to keep people happy, but this results in a lack of control.
Daren Glenister, CTO at Intralinks, said: “The negative effects consumer-grade file sharing and collaboration platforms are having on the enterprise are clear.
“CIOs need to regain control of data, and to do that they need tools designed for the enterprise with security and compliance in mind, but without sacrificing end-user ease-of-use. Shadow IT is a powerful force, and it is one that CIOs need help fighting if they are to ensure the security and compliance of critical data.”