Ease of access and low-cost devices have created a tipping point in so-called “Shadow” or “Stealth” IT. Here are a few things MSPs should know about how shadow IT affects their managed security practice.
An industry buddy of mine said something interesting to me a few weeks ago: “The SMB doesn’t want to BUY security; they really just want the MSP to take care of it.” Conceptually, this isn’t a new idea. As subscribers of a service, any service, we as buyers have certain expectations. Take the home phone (yes, I still have one gathering dust under a pile of magazines in the kitchen). In exchange for a nominal monthly fee, when I pick it up I have a reasonable expectation of availability and security, to hear a dial tone and to not hear my neighbors' conversations on my line.
Security: Core Expectation
In managed services, security has become part of the core or basic expectations of the consumer. Along with service and support of my connected systems, an acceptable degree of security is expected as part of the nice, neat monthly managed package. For some time, this was a simple arrangement for the MSP, but today’s corporate Internet usage has skyrocketed, with all departments needing to be online all the time.
Ease of access and low-cost devices have created a tipping point in so-called “shadow” or “stealth” IT. Loosely defined as “the systems and solutions used inside an organization without IT approval,” shadow IT creates unforeseen vulnerabilities to a network but doesn’t exempt buyers from the expectation of security.
Here are a few things to look for:
- Everyone Does It: Frost & Sullivan reports, “80 percent of survey respondents admit to using non-approved SaaS applications in their jobs.” To clarify, these may be business-related cloud tools, but without IT oversight there really is no way to ensure what exactly is used and/or communicated.
- Lack of Clear (Cloud Policy) Consensus: Users are overwhelmingly unsure of the rules about setting up cloud applications, or they choose to deploy them anyway, without asking. As MSPs, it’s imperative to spend time educating end users and auditing systems to discover the tools deployed. Users will default to using the systems they want vs. asking permission.
- “Do As I Say … Not as I Do”: A favorite in my household growing up. The 2013 Frost Sullivan Report shows that some of the most obvious and objectionable offenses may come directly from the IT team and corporate leadership. Technicians have the tools and administrative rights that make it easy to bend the rules. Problems are compounded with business executives exempting themselves from company policies, arbitrarily.
Controlling shadow IT comes down to education, control and the ability to effectively audit the systems and solutions in place. From a business perspective, there may be an opportunity to replace individually sourced cloud services with more secure enterprise-grade options that provide appropriate management oversight. Along with the potential for additional revenue streams, service providers can use unauthorized shadow IT access as a “teachable moment” for the end users. This type of “real world” education provides immense benefit and business value to the customer. #partnerwisely
Eric Pinto is product manager at Nuvotera. Guest blog such as this one are published monthly and are part of Talkin' Cloud's annual platinum sponsorships.