When we speak about 'Shadow IT Applications,' we speak of applications that exist in an IT infrastructure without having passed through normal IT processes intended to ensure that they are functional, secure, and can support more than one user.

Generally, the applications are installed by end-users for purposes ranging from IT functionality not currently provided by official IT resources, to personal reasons. Given the popularity of BYOD, every use on that spectrum could be considered appropriate.

For personally owned devices, the owner should have the right to use the device for personal purposes. On corporate devices, IT departments are placed in a difficult position: either they implement policies that say there will be no unauthorised applications on a device.

In this case they take on responsibility for ensuring that all the latest features are tested and deployed as appropriate and in a timely manner. 

Alternatively, they allow the users to innovate on their own and keep track of the outcomes. Given the speed of innovation, even large IT departments will sometimes find themselves falling behind the technology curve regarding adoption of the latest trends.

> See also: How to balance innovation with risk when it comes to shadow IT

Organisations with extremely high security requirements are likely to choose a more tightly controlled 'guilty until proven innocent' approach – which provides greater up-front security assurances at the cost of slower innovation. 

Organisations with greater risk tolerance have the option of monitoring the use of emerging technologies that take the form of Shadow IT applications and follow the 'innocent until proven guilty' approach, which entails more up-front risk but encourages innovation.

True path of least resistance

Security service providers like Zscaler act as intermediaries between the open internet and their customers, filtering out as much malicious traffic as possible.

It is up to a particular organisation to make their own policies regarding Shadow IT systems and applications, however a security provider can support that decision by identifying and reporting the operation of applications that corporate IT may not be aware of, including their association with malicious traffic.

A popular application inherently involves more risk to an organisation than a more obscure one, due to it's scale. If two applications (an unpopular one and a popular one) are equally secure, more users will be victimised due to the same flaws in the more visited application – that application is thus arguably more of a threat than the less popular one.

As the popularity of an application increases, so too, should the developer's attention to security. For this reason, we make use of a metric based on the number of users who would have been negatively effected by an application, rather than one related to ratio of safe to unsafe network traffic associated with the application.

Zscaler made a list of the 20 riskiest applications, in terms of actual (attempted) user victimisation and based on data from one of Zscaler’s cloud-based data sets over a period of 180 days from the beginning of 2015.

Facebook, Skype and Twitter top the list of sites containing the most malware. Often, users click on or unwittingly download malicious applications without realising they have put themselves and the organisation in danger.

Interestingly, Amazon has not been observed to be serving a large amount of malware, but they do have the highest number of suspicious links. Popular webinar services also contain unusually high numbers of suspicious links and packages such as attachments.

The role of the CIO and the CISO

While CIOs and CISOs try to retain control by providing corporate applications, for example, there are simply too many competing applications on the market to tempt employees away.

Zscaler's research shows that employees will still step outside the official corporate ecosystem if they can work more efficiently using apps that they know and like, such as Dropbox or Evernote. Blocking is simply not the answer.

Cloud has opened the floodgates of change in how employees work. The momentum is unstoppable as the consumerisation of IT continues to push personal cloud applications into the enterprise.

Free and low cost apps are now available to users like never before. In the workplace, employees can often download them and be up and running in minutes.

Apps that incorporate business data and integrate with existing enterprise applications can be installed without IT involvement, putting organisations at risk of cyber attacks and malware infection in ways that they cannot predict, without the ability to monitor and control application use within the enterprise.

An increase in attacks tailored to specific organisations has changed the business environment into an entirely new threat landscape. When not managed correctly, holes open up, through which valuable business data can easily fall.

> See also: Why CIOs shouldn't fear shadow IT

But the CIO and CISO need not prohibit cloud applications wholesale – they can find alternative ways to close the gaps. To keep pace, IT must go from 'block or allow' to 'manage and monitor.'

It’s all too easy for businesses to feel overwhelmed at the new technology coming to the market, or new consumer apps penetrating the workplace. However, it is a positive step that employees are seeking to be more efficient whenever and wherever they happen to be working.

Businesses must take advantage of the cloud in order to keep pace with a rapidly evolving market, not to mention today’s security threats. We cannot continue to rely on traditional appliances and solutions that have failed to keep up with the new cloud norm.

Network data will help businesses understand employee behaviour and in doing so, CIOs and CISOs can support the cloud apps that employees choose in a manner that doesn’t expose the company to unnecessary risk. The challenge for businesses is how to keep up without compromising security.

Sourced from Matt Piercy, Zscaler