Is this a bad idea? Learn about the pitfalls of shadow IT and what organizations should be doing to address lax security versus productivity.
As a system administrator I’ve dealt first-hand with increased security controls during the coronavirus pandemic. The need for remote work access has gone hand in hand with the need to ensure such access is fully secured.
SEE: COVID-19 workplace policy (TechRepublic Premium)
Measures I’ve worked with have included providing company-owned laptops to users (which are the only devices permitted to connect to the VPN), multi-factor authentication (MFA), VPN timeout settings requiring network reauthentication within a specific time frame, mandated mobile device security settings for employee phones with access to company applications or data, network segregation, and soft tokens with biometric access to internal company resources.
None of these practices have proved particularly cumbersome with the exception of network segregation which requires the use of an internal “jump box” to connect to certain resources not directly available on the VPN. However, that is a trade-off most employees—including me—are more than willing to make to not have to deal with a commute or a potential coronavirus exposure.
Unfortunately, some companies have gone the other way on security, whether through their own intentions or employees taking alternate routes to get what they need done. Auditing and monitoring for potential security issues, implementing strict policies and guidelines, ensuring standardization of access, applications, tools and devices, and conducting rigorous periodic employee education are key elements to keeping security priorities from sliding into an abyss.
I spoke with Matt Davey, CXO at 1Password, a password manager provider, about recent security concerns. The company did some research earlier this year that pinpointed some of the security concerns involving shadow IT. The research found a majority of users had created business-related accounts which their IT departments didn’t know about, a third reused memorable passwords and nearly half used similar passwords.
Since 80% of data breaches involve insufficient password hygiene, it’s obvious that lax security protocols such as this can pose significant risk, and in this era of remote work the saying “you can’t manage what you can’t measure” applies.
Scott Matteson: What security protocols have been relaxed by some organizations?
Matt Davey: Our research didn’t cover specifics, but we do know that the switch to remote work directly resulted in shifting priorities around security protocols. Of the 73% of firms which transitioned all employees to a work-from-home setup, 29% reported relaxing some security protocols and requirements. And to break that down even further, 46% of SMB firms report relaxing some security protocols and requirements, compared with just 19% of large firms.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Scott Matteson: What was the rationale for this?
Matt Davey: At the end of the day, it comes down to productivity. Forty-six percent of those we surveyed said that the relaxed protocols were due to two factors: Employees get more done when they manage their own software, and employees pushing back against strong security protocols.
The first is, of course, explicitly about productivity, but the pushback also boils down to productivity.
The resistance to stronger security stems from this perception that it interferes with getting things done. Four in five workers say they always follow their company’s IT policy, which means one in five don’t. That aligns with one of our major takeaways, that just 20% of workers account for all shadow IT activity (the use of unauthorized software without IT approval). Those who bypassed IT cited productivity as the number one reason for doing so.
Similarly, about 16% of employees say convenience is more important than security.
Scott Matteson: What was the outcome? Was there any increase in security incidents?
Matt Davey: Our research didn’t get into specific incidents, but when you look at the data, a clear picture emerges.
Similar to its impact on other areas, the pandemic didn’t so much create new trends as accelerate existing ones. In the 12 months prior to our research (conducted in March 2020), 63.5% of workers had created at least one shadow IT account. When the pandemic hit, everyone was scrambling to adjust to a remote setup, which meant seeking out new software to accommodate those new workflows. So, there’s little doubt that there’s been an uptick in shadow IT accounts being created during the pandemic.
SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)
Scott Matteson: How long is this expected to go on?
Matt Davey: As long as this remote work moment lasts, this will continue.
We’re not going back to the way things were anytime soon. Many companies are looking at their office space and wondering why they were paying those expensive leases in the first place. Some have already given their employees the option of working from home permanently.
That being the case, I think it’s more helpful to talk about the new normal, rather than things going back to the way they were. Again, this is the result of things that were already happening. In our research, 64% of employees said their company was prepared for the switch to remote work. That means that many saw the writing on the wall and had made the proper investments before COVID-19 turned the world on its head.
And now that that initial investment’s been made, those firms can focus on optimizing for a future in which remote work is, if not the default, certainly a much bigger part of the picture.
Scott Matteson: Are there any proposed or confirmed remedies you might recommend?
Matt Davey: It’s easy to say that the right balance of productivity and security will be different for every company, but I want to go further and reframe that conversation altogether. As WFH reconfigures our entire infrastructure, pitting security against productivity becomes less helpful.
Instead, we should think about IT becoming more of a trusted business partner. That means letting workers choose their tools and accommodating them—their stated goals of getting more done in the name of the business are what we all want, after all.
At the same time, if you’re putting more control into the hands of business users, you should also be teaching them how to do their work securely, so education becomes key. Poor password practices are related to a significant majority of attacks so, nailing the fundamentals of security best practices for end users can have a big impact.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
Not surprisingly, I recommend an enterprise password manager to make the fundamentals of proper password hygiene easier than the alternative. And I’m not the only one who sees strong password management as the lowest-hanging fruit in this new world: among IT departments that have deployed a password manager, 56% said they did so to make it easy for employees to use strong passwords. Thirty-two percent did so to make it easier for employees to use the software they want to use to get things done.
Scott Matteson: What’s going to happen in the future?
Matt Davey: As I said, WFH is here to stay. Upwork recently announced the results of a 20,000-person survey in which as many as 11.5% of workers plan to move because they can now work from home more often. That’s huge. Now, not only can firms dip into a larger pool to find talent, the flip side is also true—workers will have more options than ever since they’re not limited to a particular location. That means that firms will need to be more flexible in their WFH accommodations to stay competitive and attract top talent.
As that happens, I expect a significant shift in the way that IT operates. They’ll need to form trusted partnerships with their business counterparts, taking on more of an advisory role. That requires IT becoming more integrated into the business side of things, which is a pretty drastic departure in how IT departments operate day to day right now.
For example, at the moment Identity and Access Management (IAM) is a huge time suck. According to our research, IT spends 21 days (a full month!) every year performing simple IAM tasks like resetting passwords. I expect they’ll be more than happy to leave those days behind.