Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.


 – Espion looks at the challenges for CIOs in the era of “Shadow IT products” –

Like it or not, today’s workers want to use their own devices, applications and software to be more productive at work.  Who could blame them for wanting to take advantage of the time-saving, skill-boosting, collaboration-enhancing, process-streamlining (and more) apps and software that have flooded the market.

In many cases, these “Shadow IT products” (non-approved SaaS applications), are downloaded and adopted by employees without consulting their IT department.  The scale of this was highlighted last year when a Stratecast and Frost & Sullivan study found more than 80 per cent of survey respondents admit to using non-approved SaaS applications in their jobs.  In addition, the study found, the average company uses around 20 SaaS applications; of these, more than seven were non-approved.

This new frontier poses many challenges for CIOs who are expected to deliver IT and enable people to work to their own personal expectations, in the way they use technology in the home – fast, wireless connected 24/7 whilst trying to maintain security and compliance.

In an increasingly complex device, application and software landscape just how can today’s CIO navigate the ever-evolving tasks of Application Management, Mobile Device Management and Enterprise Mobility Management?

The risks versus the rewards

Without doubt, apps and cloud solutions such as Basecamp, Salesforce, Dropbox and Google Apps are great for productivity and flexible working.  However organisations need to be highly cognisant of the downside some apps pose for information security risk, particularly as consumers often ignore end user licencing agreements (EULAs), enabling developers to collect and utilise private information to varying degrees.

According to application security company Veracode, 67 per cent of mobile applications can access, add or edit address book contacts.  This ability to read data from SIM cards and transmit it to unknown geo-locations could expose an organisation to data loss, improper transmission and storage of potentially sensitive corporate data.

Espion security consultant, Shane Ryan explains:  “The worst case scenario is that IT is unaware of cloud and mobile apps employees are using which means they can’t control data access and management.  Here a key concern should be corporate data access and data confidentiality issues.

It’s important we learn from the BYOD frontier, where devices were accepted so quickly and extensively that before organisations knew it, vast numbers of employees were using their personal devices for work with little to no consideration of the security implications.  As information security moves higher up the corporate agenda CIOs need to take a strategic risk-based approach to managing devices, applications and non-enterprise approved Shadow IT software.”

It is paramount CIOs take heed of the growth in consumer market technologies within the enterprise and accept this trend will continue to evolve.  Organisations should plan and address the security aspects of devices, apps and software.

When it comes to protecting your data’s confidentiality, integrity and availability, your resources as well as your reputation here are ten things to consider.

Ten tips for tackling Shadow IT


  1.      Monitor your network to keep track of what Shadow IT is lurking in your systems

By continuously scanning and monitoring your network you will be able to identify Shadow IT and keep track of what’s going on.

To identify the cloud services being used outside of IT’s scope you can process log data from your firewalls, proxies, SIEMS and Mobile Device Management products.

  1.      Quantify the risks by knowing who has access to your corporate data

A key concern should be corporate data access and data confidentiality issues.

By identifying and understanding what data you are processing, transmitting and storing then you can classify data into categories such as confidential, internal organisational use only, public etc.  This will help you ensure the right level of controls are used to protect the data.


  1.      What’s the policy?

Consider having a ‘consumerisation policy’ that states what apps, software and devices can be used in the workplace, what part of the network they are allowed to access and what security procedures and protocols they must adhere to.

  1.      Make use of ‘intelligence’ resources that are available to find out about these apps

Currently there are exciting new trailblazing technologies that help enterprises determine the ‘trust’ level of apps with all-in-one App Risk Management services and global databases of analysed public and private apps.  Apps can then be blocked based on your risk appetite and enterprise policies.

  1.      Communicate the risks to stakeholders

Explain to colleagues that when they deploy Shadow IT the configuring and managing process (applying patches, authentication and access controls as well as security testing) falls outside the organisation. That makes organisations and their reputation vulnerable.

Enforce the use of approved applications only which meet enterprise standards, and when necessary restrict network access to workers who fail to comply.


  1.      Fear Free apps

While workers may think they are saving money by opting for free apps, these technologies generate revenue by sharing user data with third parties like ad networks which impacts on overall app security and privacy.  If you are not paying for the app you and your company data are the product.

  1.      Look for solutions to secure these apps and clouds

When it comes to controlling the extended enterprise, simply and securely, find a solution that can streamline wide-scale deployments by securing or restricting apps automatically.


  1.      Don’t overlook licencing agreements

Shadow software and apps challenge software asset management compliance.  What would your organisation do if unapproved software spurred a compliance / regulatory audit with the risk of fines?


  1.      Work with employees to tackle this issue

Aim to work with employees to tackle this issue and have a clear dialogue with business stakeholders about their business challenges and requirements.  IT should ultimately be enabling the business to work better and smarter at a known level of risk which is accepted by the business.

Remember to build awareness around the hazards of Shadow IT into your company-wide security awareness and training.

  1.   Perform security testing regularly

Evaluate device security and usage of apps periodically.