Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.
In the rush to digitise, many organisations are finding themselves struggling to plug a whole new fountain of cyber vulnerabilities stemming from shadow IT.
In a nutshell, shadow IT is when staff use hardware or software that’s not whitelisted or managed by an IT department for work purposes.
Despite the ominous name, shadow IT isn’t shady or malicious. Many employees simply find it more convenient to use apps or hardware that are outside the IT department’s remit. Shadow IT is a bit like your employees hacking your own organisation, but to improve productivity. It could involve anything from using their personal machines, a free app to quickly share files, joining a video call on a different platform or just checking messages on their phones instead of their work laptops.
Especially since everyone shifted to working remotely, the number of cloud services and apps the typical office employee uses has ballooned, with workers routinely using them without involving the IT guys at all.
While well-intentioned, using ad-hoc software and devices willy-nilly can be problematic from a cybersecurity standpoint. You don’t know what vulnerabilities they might introduce into your network, or where the data goes.
‘Home’ and ‘work’ devices are blurring together
As the lines between work and personal devices get fuzzier, we’re seeing devices like laptops and smartphones become a growing security risk. According to a study by insurance provider PYB, one in five employees in the UK has downloaded commercially sensitive or confidential company files on a personal device while working from home.
Mimecast's research report surveyed more than 1,000 businesspeople around the world and found that 73% of employees regularly use their company-issued devices for personal activities.
Smartphones are also becoming a major point of vulnerability. One of the reasons for this is that though work laptops are commonplace, relatively few workers have dedicated ‘work’ smartphones. With most office work now taking place beyond the strictly-enforced security perimeter of the office, employees are accessing back-end corporate infrastructure from the same devices they use for chatting, browsing social media, and online shopping.
This is not a small issue. Compared to smartphones, it’s easier for desktop and laptops users to avoid attacks via social media and spot email-based spear phishing and spoofing attacks. Laptops tend to have better security in place (which can be managed remotely by an IT team) and a bigger screen means it’s easier to spot suspicious URLs and fake webpages.
The tiny screen size and mobile-optimised settings on smartphones make it much harder to spot the key signs of a phishing email or scam webpage. As an example, mobile browsers generally hide the whole URL, or they may not display the SSL certificate of a particular website. You can’t hover over a hyperlink to see the address behind it, and the shrunken-down graphic elements like buttons and call-to-action boxes make it harder to tell if they’re real or fake.
Then there’s the attention factor. People often use their smartphones while walking, talking or working, which means they’re already distracted. And with the tiny text on the screen, they may not always read every line of an email or text as carefully as they should, greatly increasing their risk of clicking on a malicious link.
How to bring shadow IT under control
The key to controlling shadow IT is to address the cause, not the symptoms. Your workers are turning to alternative devices and software for a reason, and trying to ban or block them without providing a safe alternative will just cause resentment and frustration. You need to investigate what functions and services your workers need in your day-to-day, and help them transition to whitelisted solutions gradually.
The next step is training, training and more training. There is no tool that can prevent human error, no matter how many alerts or notifications pop up on users’ screens. Using VPNs, firewalls, strong passwords and raising awareness on how phishing and email scams work are some of the most important steps you can take to minimise the security risk of shadow IT.
It’s also important to help employees see the big picture. A breach of malware infection won’t just affect their work, but the entire organisation. All it takes is one misguided click to bring your entire organisation down and put everyone’s jobs and safety at risk.
Your employees should also have a say in what hardware or software your company uses because, in any organisation of any size, there are likely multiple use cases for the same technology. The last thing you want is to mandate the use of certain tools to find out that people still turn to shadow IT to get their day-to-day work done
Learning from shadow IT
An assessment of your shadow IT footprint can reveal some interesting insights about how your people work. It can help you discover new ways to optimise workflows and processes and improve productivity. It all comes down to enabling your people to do their best work and implementing technology that can help them do their jobs more effectively. It’s also important for your IT people to understand what features your workers need from their tools, and how they can safely provide that functionality to them. There will always be some degree of shadow IT, especially in a remote working world. And that’s okay, as long as your people understand the risks and your IT teams can ensure a reasonable degree of cybersecurity for the data involved.