The Shadow Knows

Russ Banham

|

August 1, 2013

shadow

The widespread use of business apps to improve employee productivity is a boon for companies. But, it can also be a bane if mobile apps are being used without approval.

Employees cannot be blamed for using technology-based tools to more effectively handle work tasks. The growing array of business apps do just that—organizing calendars, coordinating business expenses, purchasing cheap airline tickets and managing dealings with financial institutions, to cite a handful of what are literally hundreds of mobile apps in use today. It is all part of the BYOD (bring your own device) phenomenon—the use of personal mobile devices like tablets and smartphones for work-related purposes.

It is common for employees today to crowd the minuscule landscape of their tablets and smartphones with apps like Google Drive, Dropbox, YouSendIt and Teambox, mingled with social media sites like Twitter, LinkedIn, Facebook and Salesforce Chatter. Tools like Marketo, Drupa, GoodData, TripIt and WordPress jockey for space alongside corporate data sharing sites like GroupMe, Evernote, Skype and Google Hangouts.

This unique intersection of social media, mobile devices and cloud-based delivery systems even has its own name—SoMoClo—coined by consultancy firm IDC. And it is a fast-moving train. According to an April 2013 survey of more than 500 IT professionals and business executives by IT trade group CompTIA, the BYOD market is projected to increase at a 15% compound annual growth rate, reaching $181 billion in market value by 2017.

The other side of this tremendous boost in productivity is that it is often occurring behind the backs of managers, IT, legal and compliance. The unauthorized use of these apps even has its own sinister name: Shadow IT. “The risks of Shadow IT are significant if not terrifying,” said Andrew Borg, research director, enterprise mobility and collaboration, at consultancy Aberdeen Group.

Among these threats are the loss or theft of proprietary intellectual property, competitive data and personally identifiable information like employees’ Social Security numbers. A thicket of regulatory compliance complications can ensue, costing both money and reputational currency.

“We asked companies what they thought the maximum financial exposure for not complying with BYOD regulations was for a single lapse, and the responses ranged from $10,000 at the low end to $461,699 at the high end,” said Borg. “And that’s just for a single lapse. Companies cannot afford to risk non-compliance.”

Mitigating such exposures is made difficult by the oft-hidden use of mobile apps. “If we are unaware that employees are creating these risks for us, how then can we manage them?” said Larry Dunivan, senior vice president and chief information officer at Ceridian HCM, a Minneapolis-based provider of cloud-based payroll and HR services.

“That’s the big problem with Shadow IT,” agreed Christian Kane, an analyst with consultancy Forrester Research. “One can’t fault employees for using these tools. Before they come into the workplace, they have expectations to use their mobile devices for work much the same way they do for personal reasons.” In essence, if IT refuses to provide employees with a tool that will make them more productive, they’re apt to spend the 99 cents to buy it on their own.

Human Nature
While users tap mobile business apps because of their convenience and promise of organizational efficiency, they often fail to appreciate the risks this use poses. “They could care less about security,” Kane said. “If Dropbox gives them the opportunity to do a quick, reliable file synch and transfer, they’re going to use it. If there happens to be sensitive health care or proprietary client information in the file that the company could be held liable for if leaked, it often doesn’t register.”

Stopping the unauthorized use of mobile apps is not the answer, these experts contend, if for no other reason than the horse has left the barn. “Eighty percent of employees are now using these apps,” Borg said. “Asking people to turn off their smartphones when they get to work just isn’t going to happen.”

He makes a good point—human behavior being what it is, employees are simply going to do whatever it takes to become more efficient at the work they do. “Stopping the use of business apps will only impede worker productivity,” Borg said.

So how can companies resist tossing out the baby with the bathwater? “Clear usage policies with teeth,” said Elissa Doroff, vice president and senior advisory specialist in the network security and privacy practice at insurance broker Marsh.

In establishing such policies, she recommends that employers in a BYOD environment insist that employees segregate their work apps from their personal apps. “IT should be entrusted to encrypt all messages involving the work apps, based on the level of data sensitivity and risk,” Doroff said.

Dunivan goes further, recommending that proprietary and sensitive information never be stored on a mobile device. “If it absolutely has to be collected on a tablet or smartphone, then IT should write a layer of secure codes protecting this data,” he said. He suggests that once the codes are written, IT developers should conduct automated reviews of the codes to identify potential security gaps. “You want to shut down the possibility of a SQL injection,” he said.

Above all, Dunivan sees the wisdom in risk management partnering with IT to create, monitor and police BYOD policies. “Together, we can determine how and where employees can access and transfer data containing personally identifiable information, and put filters in the email system that can trap and capture this data if we suspect it is in transit,” he said.

By pulling Shadow IT out of the shadows, risks that otherwise would escape attention can be illuminated, managed and mitigated. And the productivity benefits of SoMoClo can be realized without fear.
Russ Banham is a veteran business journalist and author based in Los Angeles.