Shadow IT and Device Sprawl Fuel Fears Around Lack of Control

JumpCloud Inc. today released the results of its Q3 2024 SME IT Trends Report, “Detours Ahead: How IT Navigates an Evolving World.” The seventh edition of the report provides new insights around the challenges and opportunities facing IT teams at small and medium-sized enterprises (SMEs). It covers topics such as:

• The growing threat of shadow IT and AI
• How teams manage complicated device and IT environments
• The relationship between IT and managed service providers (MSPs)
• IT professionals’ biggest fears and wants

JumpCloud commissions this survey twice a year to stay on top of the latest challenges, trends, and experiences of IT professionals. This edition surveyed IT teams from the U.S. and the U.K.

“IT teams are dealing with many obstacles. They face uncertainty about economic conditions and elections. There are growing security threats, complex tech stacks, and device varieties. Despite this and more, IT admins are resilient and resourceful,” said Greg Keller, co-founder and chief technology officer. “What’s keeping them up at night is what they can’t see — 84% of IT admins worry about shadow IT. To help combat the security holes shadow IT creates, IT needs to deploy tools to help spot rogue apps. This will give IT teams the control and visibility they need to keep organizations safe.”

The rise of shadow IT and the need for admin control

Shadow IT creates security holes. It also creates compliance violations, data loss risk, and fragmented, inefficient IT. As cloud applications increase and AI use grows, IT teams want to mitigate risks by identifying and managing unauthorized apps and resources. Centralizing IT empowers admins to enforce security policies. They could also enforce access controls and data governance across their whole IT system.

• Lack of visibility and control are creating substantial concerns. Eighty-four percent of SMEs are concerned about applications managed outside of IT (i.e., shadow IT), with 35% reporting they’re very concerned. When asked what has prevented them from addressing shadow IT, 36% say they have more important priorities. Thirty-one percent say their business users move too fast to keep up with their needs. Thirty-two percent say they don’t have the ability to discover all the applications used by employees. Twenty-nine percent say they lack partnership and communication with business partners, and 24% say they don’t have a SaaS management or asset management solution to manage shadow IT.
• SMEs experiencing a steady stream of cyberattacks. Nearly half (45%) of SMEs have been the victim of a cybersecurity attack in the first half of 2024. Of those, 28% experienced two attacks, 17% have experienced three, and 5% suffered three or more. The most common source for cyberattacks was phishing (43%), followed by shadow IT (37%), stolen or lost credentials (33%), and a breach in a partner’s organization (30%).
• IT admins are struggling to keep organizations safe. Forty-nine percent of IT teams say that despite their best efforts, their organization lacks the resources and staffing to secure the organization against cybersecurity threats.

Also read: Five Data Security Controls Every Business Must Have

Managing a mixed environment in uncertain times

Flexibility and support are key for organizations with global employees using a variety of different devices. Admins expect to continue supporting such variety. But, without the ability to centrally manage devices, organizations face security risks. These come from workers’ abysmal security practices or unauthorized devices accessing company resources.

• SMEs continue to support a diverse device environment. The average SME allows their employees to use a variety of devices. The average device landscape is made up of 24% macOS devices (up from 22% in Q1 2024), 18% Linux devices (down from 22%), and 63% Windows devices (up from 60%).
• Such variety of devices and a growing number of digital identities has admins continuing their plea for a centralized IT. Eighty-four percent of IT teams prefer a single platform to manage user identity, access, and security over many best-in-class point solutions.
• Too many credentials are causing chaos. Nearly half of IT admins (45%) require five to 10 tools to manage the worker lifecycle, and over a quarter (28%) need 11 applications or more. This is because of dilemmas like legacy systems and complicated integrations. Only 26% of employees can access all their IT resources with just one to two passwords. Nearly 17% have to manage 10 or more.

Keeping up with security

Security continues to be the number one challenge facing IT teams as cyberattacks increase in both frequency and sophistication. IT teams have worked hard to prepare their organizations to withstand the threats by staying on top of best practices and tools. But it’s a lack of visibility, control, and easy management of employees and their devices that continues to vex them.

• Security fears dominate. Sixty percent of SMEs consider security the biggest IT challenge, followed distantly by new service and application rollouts (42%), the cost of solutions necessary to enable remote work (40.8%), and device management (39%). The four biggest security concerns are network attacks (40%), followed by software vulnerability exploits (31%), ransomware (31%), and shadow IT (29%).
• The threat is rising, as are worries about security budget cuts. Half (50%) of IT teams report being more concerned about their organization’s security posture than they were six months ago, down slightly from the 56% who said the same in Q1 2024. Seventy-one percent say any cuts to their security budget would increase organizational risk.
• SMEs still need to securely manage passwords. While the industry pushes for passwordless authentication, 95% of respondents use passwords to secure at least some IT resources.

Making more out of the MSP relationship

The steadfast relationship between managed service providers (MSPs) and SMEs continues. While MSPs are seen as delivering better security, productivity, and cost-savings, there are also signs that SMEs are starting to expect more from their MSP partners.

• MSPs are a critical tool for SMEs and investment is expected to increase. Seventy-six percent of SMEs rely on an MSP for at least some functions, the same as the 76% who reported so in Q1 2024. Over the next 12 months, 67% of SMEs say they’ll increase their MSP investment.
• While MSPs drive cost savings, SMEs report improvements in security and efficiency as the biggest return. When asked about the results of working with an MSP, 56% said MSPs led to better security. Fifty-seven percent said MSPs increased their effectiveness at managing IT, and 37% said they saved money for their organization.
• Not all IT teams are eager to work with MSPs. For the 24% who don’t use an MSP, nearly half say it’s because they prefer to handle IT themselves (47%), and 39% say it’s because MSPs are too expensive.

To be successful, MSPs should keep an eye on security, costs, scale, and customer experience. For all SMEs, including those that use MSPs, 39% have concerns about how MSPs manage security. The main reason SMEs stopped working with an MSP was cost (28%). Next, they outgrew the MSP’s service offerings (26%), moved IT internal (24%), or had a bad customer service or sales team experience (23%).

Also read: Closing the Cybersecurity Skills Gap with MSPs

Balancing the unexpected and unknown of AI 

IT teams hope that AI can streamline operations and are actively preparing to integrate AI into operations. At the same time, admins are also concerned about AI’s impact on security and unsure about how AI may impact their jobs.

• IT teams have a varied response to AI. When asked how their opinion changed in the last six months about how AI will impact their job, 22% say the impact of AI is much lower than they thought. Thirty-four percent say the potential impact of AI is the same but it’s moving slower than they thought it would. Twenty-one percent say their opinion hasn’t changed, and 23% say they feel the impact of AI is even greater than they thought it would be.
• AI fears remain while IT teams work to adopt it responsibly. Sixty-one percent agree that AI is outpacing their organization’s ability to protect against threats. Over one-third of IT admins (35%) say they’re worried about AI’s impact on their job. This is down from the 45% who said the same in Q1 2024.