Why SaaS risks to your business could be hiding in plain sight
Monday 23rd April 2018
By Tim Croy, CTO, Ampliphae
"I'm travelling next week," says the email. "When you're finished with the spreadsheets, can you put them in my Dropbox. I'll send you a link."
And so, it begins. Recently, I worked with a company that was using a file sharing service, chosen in just this fashion. One employee needed access to some documents on the go, so she sent everyone a link to the service. Soon, the team's needs had outgrown the free service, so one of them signed up for an individual licence and put the cost through on expenses.
The same team was also using two cloud services to track backlinks and social mentions for its websites. Again, a team member was paying for these on expenses with the approval of his boss. In the same company, the sales team was using a free CRM, two departments had signed up for a popular mass-mailing cloud app, another team was using a rival file-sharing service to the one used by marketing and one of the senior leaders had signed his direct reports up to a popular business messaging app.
Everyone in the company either used these apps or knew they were being used. But no one had put them through a proper procurement or compliance process. The only time this profusion of cloud services was really discussed, was when the issue of using two file-sharing apps came up. People were momentarily annoyed by the barrier to sharing across teams and everyone agreed that something should definitely be done about it, at some point, by someone.
What I.T doesn't know, can't hurt... oh wait!
In the case of SaaS adoption, 'see no evil, hear no evil' is not going to work. If your company isn't tracking SaaS adoption by employees, you can very quickly incur unplanned liabilities.
In the example above, the team should not have been using an individual licence on the file-sharing service for a business project; the back-link tools didn't allow more than one user to use the same account; and the sales team had uploaded lots of customer data to the CRM tool, despite it never having been checked for data-protection compliance.
Again, the problem was not even that the SaaS apps had been adopted without the company's knowledge. This was a relatively small business. Everyone knew which apps were in use. But for some reason, it never clicked that cloud apps should be validated, monitored and audited in the same way that the — relatively small and tightly controlled — list of on-site software was.
It wasn't until we audited the network to discover what was in use, by whom, and how fast it was spreading, that the company became aware of the problem. Apps were being used more widely than they realised, potentially incurring unplanned licence costs. Far more people than they'd realised were uploading sensitive customer data to the cloud. And all of this had happened while the management and IT were watching but without either fully realising what was going on.
If, having read this, you've already started tapping out an all-hands email telling everyone to immediately stop using SaaS apps that haven't been assessed for compliance, please don't press 'send' just yet. Many of those apps may well be critical to the success of your business. After all, there's a reason why your colleagues adopted them.
The answer is not to ban the cloud, that would be a step backwards. The answer is to use technology and implement processes that let you vet, monitor and control cloud apps and cloud adoption. This cuts out the risk of non-compliance but still allows your employees to use the best tools for the job at hand.
To find out how Ampliphae can help take control of the cloud, email me today: firstname.lastname@example.org