With the increasingly frequent and damaging security breaches in the news today, the natural tendency for IT professionals is to run back to the data centre and patch, upgrade, test and make sure that all business data and, therefore, the corporate reputation, is safe. While corporations continue to lock down the enterprise and its users, they often forget one important factor – employees have their own powerful computing devices, their mobile phone. Generally, employees will stop at nothing to make their jobs more convenient and efficient, despite the pesky obstacles put in front of them by the corporate cybersecurity team. It’s similar to comparing users to water and the IT security teams to a rock placed in its path. Water will always find a way to get around the rock and continue flowing forward. One of the ways that the “flow” continues is via shadow IT, which is technology deployed in an organization without the approval of the IT department.
Over recent years, shadow IT has evolved from the threat of employees using unauthorized applications to employees using personal devices for work purposes. Shadow IT brings new security and compliance issues to an organization, as the technology is not subject to the same security processes and procedures that are applied to approved solutions. Since most employees essentially carry a computer in their pocket in the form of their cell phone, it is easy to download apps that enable them to do their jobs easier, even though those apps may not be sanctioned and could throw the enterprise out of compliance. Unapproved apps can also significantly increase an organization’s risk of cyberattack, as Gartner predicts a third of successful attacks experienced by enterprises will be on their shadow IT resources by 2020.
Further, according to eSecurity Planet, “enterprises face a far greater threat from the millions of generally available apps on their employees’ devices than from mobile malware.” Shadow IT was born because it has become so easy to download an app or use a home laptop for both work and personal use as a way around what is perceived to be an obstacle to productivity. This doesn’t mean that employees are trying to be malicious, they simply have more access to ease-to-use, easy-to-deploy technology at their fingertips. In addition, they may simply not know the risks proliferated by the activity on their personal devices.
Maintaining Efficiency and Security
Organizations may be under the impression that they can prevent risky app downloads through corporate policies and mandates. However, the question remains – will employees actually follow these rules? For example, most enterprises, especially those with compliance requirements, will often completely disallow texting. Despite the policy, according to Seyfarth Shaw LLP, even if email is the sanctioned form of communication in the workplace, employees will text. Organizations must have a clear and obvious way to enforce or monitor policy compliance, including how employees communicate over text. In many situations, employees download free apps like WhatsApp to communicate in confidence, which is often not sanctioned. The reality unfortunately is that “in confidence” is only partially true, since once delivered, the recipient of text has the information stored on their device, can forward it to anyone, or post it on Facebook for the world to see. Once “send” is hit, control is lost.
Organizations risk data breaches and compliance issues by allowing such unsecure applications to be utilized. On the other hand, by deploying an approved, secure texting solution, the enterprise can embrace the need to discuss sensitive matters via text. Today’s modern secure messaging solutions ensure that communications are secure, confidential and compliant to meet enterprise requirements.
With a secure messaging platform, users can still leverage the convenience and instantaneous nature of texting, while accommodating the enterprise’s needs. CIOs must stay on top of the needs of the business and the users, and provide staff with easy-to-use sanctioned solutions that can minimize the need for shadow IT. Organizations must then also realize that:
Policies need to be enforceable and reasonable
- Training must be given to the user community on a continuous basis
- Employees should be encouraged to bring apps that can help business productivity to IT’s attention
The bottom line? In today’s mobile-driven environment, IT must be seen as business enablers, not the rock in its path.
(Article originally published on ENTERPRISECIO by Galina Datskovsky on October 24, 2017)