What is Shadow IT and why you need to know about it.
In Australia and worldwide, the pandemic has moved the dial significantly on digital transformation, pressing fast-forward on trends towards cloud adoption, remote working and mobile device usage. The rate of new technology adoption and the changing ways in which we use technology, are both expected to continue at an amplified over the medium term. With many changes fundamentally locked in over the long term.
Australians are working from home far more than they were before the pandemic and they expect this pattern to continue, according to data released this year by the Australian Bureau of Statistics (ABS).
As remote working continues, Forcepoint took a closer look at how the shift to working from home has impacted people’s behaviours and attitudes, shining a light on the staggering number of Australians taking risks and resorting to the use of Shadow IT to perform their daily duties.
Risky tech behaviours
Shadow IT is the use of information technology systems, devices, software, applications, and services without explicit IT department approval. It has grown exponentially in recent years with the proliferation of easy to use and adopt cloud-based applications and services, with users, teams and even business units taking these up without the oversight of IT or Cyber-security. In a day-to-day context, Shadow IT ranges from the use of common applications such as Dropbox, Slack, and Google Docs, to sharing devices or connecting to professional networks with personal laptops, tablets, and smartphones – in a way that is either not supported by, or explicitly banned by, a workplace.
The research from Forcepoint revealed that more than half of Australian workers (52%) of are using their personal devices to gain access to their employer’s documents and services while working remotely, 40% use personal email or file-sharing cloud services for work purposes, while another 29% use a personal back up device to save corporate data.
Furthermore, it also shows that of those users who do use their corporate devices, again more than half (53%) use their corporate devices at home for personal use, and even more concerning a further 19% allow other members of their household to do the same.
Without intervention all three of these behaviours, could expose the business to significant increased cybersecurity risk.
The lure of convenience
When asked why workers resort to shadow IT, the key attributing factor is the need for speed and simplicity. The data shows that 35% of workers find company policies make it difficult to do work well and efficiently without Shadow IT, and the same proportion say they need Shadow IT to get their job done. This number jumps to 43% when examining those who hadn’t worked from home prior to the pandemic.
It is worth noting that remote workers tend to use Shadow IT not out of malice or carelessness, but in a bid to be more productive and save time. Australian workers aren’t ignorant to the risks they’re taking. In fact, the majority of workers say they understand the cybersecurity processes for using devices like tablets and smart phones (68%) and that they received additional training or reminders on cybersecurity from their organisation (59%).
One of the most common reasons employees engage in Shadow IT use is simply to work more efficiently. For example, an employee may decide to use a more effective file-sharing application such as Dropbox or Hightail than the one officially permitted by the company.
In the home setting, the access to and use of Shadow IT, is even easier than in the office, with organisations often having far less ability to not just control by detect it.
Managing Shadow IT
The pandemic has demonstrated that technical flexibility is possible when required, and the sudden shift to online working did result in a wholescale review of policies and processes. What is impossible one day, became possible the next. This can bring many benefits, allowing a reframing of policies, risks and technology that would normally take a lot longer to achieve. When it comes to ‘Shadow IT’, if brought into the light, it can in fact lead to great innovation and improve productivity. The key is in understanding Shadow IT, and how it affects your workforce, their day-to-day activities and how you can secure it.
1. Understand user behaviour
Business leaders need to learn to accept that people will bend rules, and in some cases will make mistakes. It is imperative to work with employees to ensure they truly understand cybersecurity processes and systems, through training and having leaders model appropriate behaviour. Outside of this technology can help leaders gain visibility of and better understand user activity and behaviour across systems. This can help businesses identify risky users quickly and mitigate the impact of mistakes or vulnerabilities before the entire business is adversely impacted.
2. Establish Guidelines
The focus should be on uncovering Shadow IT uses and re-setting company policies where required, meaning that employees are not operating in the dark but in a sanctioned and supported way. It is critical that organisations have a mechanism to report and request the tools they want to use or are already using, so that they gain the much needed visibility but also foster a relationship of trust and openness. Despite the growth in Shadow IT, positive interventions from business leaders can support and guide workers who are struggling with the changing nature of work. Establish clear guidelines and ensure your employees understand what is permitted, as well as the potential risks of bringing new Shadow IT into the business.
This increases the likelihood that critical data and where it is, identified, defined and appropriately protected.
3. Weigh up the risks
Understand that not all Shadow IT software and services used outside of our control is equally risky or dangerous. Weigh up the risk by leveraging an objective and comprehensive registry of cloud services to identify the highest risk services in use and address those first, prioritisation of key in rapid risk reduction. Then decide if a complete prevention of access is necessary, and if it can be done within your existing infrastructure (i.e., endpoint and security services edge like UAM, CASB, DLP, NGFW and SWG, etc.) or by identifying users and requesting they cease using the services or use an alternative option.
In a recent report, the Australian Cyber Security Centre (ACSC) highlighted a 13 percent jump in cybercrime in the past year, with one in four attacks directed towards critical infrastructure and services, as more and more people are working from home during the pandemic. With cybercrime continuing to rise, it’s imperative for Australian businesses to take the necessary steps to better protect themselves and their infrastructure from common online threats and cybercrime.