Shadow IT is a genuine problem for many organizations. Most of us are probably guilty of it to some degree, particularly if we use our own smartphone or device for work. It may be just checking business emails on a personal smartphone or a music app on your work laptop. But for the IT team, this kind of seemingly innocent circumventing of the rules can be a real headache and a genuine threat to the integrity of corporate data.
How did we get here?
Let’s take a step back before anyone starts pointing fingers. Shadow IT usually starts out without any malice whatsoever. Here are some common scenarios. The ‘official’ applications we use at work may not be as responsive as other similar apps that we already use, or they don’t have the features we want. So, we download and install an app that we’ve used at a previous job. Or how about the cool new music app or camera filter that we want to try out? And the browser plug-ins that block ads, save our passwords, or help us with spell checking. There are so many ways that Shadow IT can creep into our working lives. Even well-known apps such as Slack and WhatsApp started out as being self-provisioned apps, but their popularity has eventually forced the hand of enterprises to roll them out strategically.
The issue of bringing your own device (BYOD) complicates Shadow IT even more, especially on mobile. When you think about it from the employee’s perspective, BYOD gives users the freedom to choose the devices they prefer, running on the operating system they are most comfortable with and putting all the apps and content they like right at their fingertips. It also means not having to carry multiple devices for business and leisure.
On the downside, IT teams have very little control over what applications get installed on BYOD devices. And they have even less visibility into what’s happening on those devices. What other applications are being used? Have the devices been upgraded to the latest version of OS? Have they been patched with the most recent security updates? What permissions do the other apps on the device have, and where are they sending data? Are those apps even legitimate, or do they contain damaging malware? The list goes on.
We’ve all heard that security can only be as good as the people who use it. So, it comes as no surprise that most breaches today are the result of human error.
One of the biggest culprits is phishing, along with its cousin, pretexting (pretending to be someone else in order to steal private information). Together, these are believed to account for over 90 percent of social-engineering breaches. It’s easy enough to fall into the trap: accidentally click on a link in an email, text or even a WhatsApp message that looks legitimate but end up with a device that has downloaded malicious code.
Another well documented but still very avoidable error is the re-use of passwords. This is particularly risky if the employee uses the same passwords to access both private- and work-related applications. Researchers have found that around 60 percent of us prefer to recycle passwords across various accounts (or even worse, we use simple, very obvious passwords) rather than using a password management tool or regularly changing passwords as a good housekeeping habit.
Focus on user experience and training
There are several things that organizations can do to minimize the threat of Shadow IT.
First, and foremost, listen to employees before making a big decision about any solutions the company implements on a wide scale. Mandating the use of specific tools without evaluating their impact on workflow is a huge mistake that many companies make. It’s particularly important to take user experience into account, so avoid any candidates that are likely to hinder employee productivity in any way.
The second thing to implement is regular training. If our devices and data lived in a protected bubble, this would be unnecessary, but because Shadow IT and BYOD, in general, bring so many variables to the security equation, reducing the human error factor is vital. It’s so important to give employees a refresher on phishing and how to recognize these attacks. It’s also wise to mandate that employees use unique passwords and change them regularly. Train them not to let other people use their devices and make sure that users have data access privileges that match their needs.
At the end of the day, restrictive compliance and a lack of internal communication have the biggest negative impacts on employee experience, and can quickly result in a prevalence of Shadow IT. If we listen to what our employees need, observe how they like to work, and train them on how to react when potential breaches appear, our organizations will be much better equipped to avoid attacks.
Related Network Computing articles: