People, like electricity, tend to take the path of least resistance. Over the last year, businesses around the world scrambled to set up remote infrastructure in order to weather the coronavirus storm. For many employees, the abrupt transition from the office to working fully remote has been a largely unguided experience. According to IBM Security’s work from home study, over half of remote employees surveyed haven’t been given any new security policies on how to securely work from home. With over 34% of all employees expected to be fully remote by year-end, I.T. departments are racing against the clock to implement safe and secure remote infrastructure systems that will meet the needs of their employees.
In the absence of proper direction, workers have embraced a hybrid workflow of new remote-work solutions, browser-based software-as-a-service (SaaS) applications, and repurposed consumer tools for communication, file sharing, and collaboration. When combined with BYOD and lax security oversight, these behaviors create the perfect opportunity for malicious external actors looking to profit from cybercrime.
The Threat of Shadow I.T.
“Shadow I.T” is the general term used to describe applications and devices, largely SaaS, that employees set up and use without I.T. permission or corporate controls. From unsecured devices to public cloud file-sharing and personal e-mail, many remote employees have chosen the path of least resistance and embraced shadow I.T. These highly unsafe work behaviors have the potential to put corporate data at risk, and represent one of the biggest potential vulnerabilities in I.T. today.
Over the next year, enterprise I.T. teams will be forced to effectively reform the rushed systems and infrastructure put in place during 2020, while taking into account the new needs of existing remote workers. This balancing act will require new strategies and approaches to dealing with both security and user behaviors.
According to a 2020 study by Cyberark, convenience often outweighs security for working parents. As people have transitioned into working from home full-time, caring for children and family members can take up more mental space than cybersecurity best practices. As a result, 93% of working parents have reused passwords across applications and devices, and 29% of working parents admitted that they allow other members of their household to use their corporate devices for activities like schoolwork, gaming and shopping. These insecure activities can have major repercussions.
In a recent report by Wandera, 52% of organizations reported experiencing a malware incident on a remote device in 2020, up from 37% in 2019. Even more alarmingly, of devices compromised by malware in 2020, 37% continued accessing corporate e-mails after being compromised, and 11% continued accessing cloud storage.
Imagine that one of your software developers has malware on their laptop. Now you've got them writing essential code on an unprotected device. You have no idea where that code is going. When you publish that code, you may have scrubbed it clean, but someone else could still have it.
The Danger of Unmonitored Data
What many don't recognize is that shadow I.T. isn’t just about someone using their personal Dropbox or Gmail; it's also about giving someone access to a web-based application such as Salesforce and not having control. What happens to that data once it resides locally?
According to a recent study by Netwrix, 91% of organizations claim they store sensitive and regulated data only in secure locations. However, 24% of them admitted they had discovered such data outside of designated locations in the past year.
Creating safe digital environments requires considering the lowest common denominator. With the work-from-home culture not looking to go away anytime soon, it’s increasingly critical to provide employees with solutions that account for some of the less-flattering habits of humanity. If shadow I.T. isn’t seriously considered by corporate I.T. teams and CIOs, then their most sensitive information is in great danger.
All of the hardware and software solutions in the world can’t protect your business if your employees don’t use them. The reality is that if an organization fails to provide the correct tools and training to its employees, they will take the path of least resistance, and leave sensitive data at risk. Training people on the tools they’re given is just as crucial as giving them the software in the first place. If it’s too challenging to get the software working, the temptation to just access the company API from Chrome will always be in the back of their mind. Educating employees on best practices, and building an I.T. infrastructure around their needs, should serve as a cornerstone for all CIOs and I.T. departments.
Michael Abboud is founder and CEO of TetherView, a private cloud provider.