Businesses can take specific steps to combat the cyber security risk that shadow IT creates in a remote work environment.
With so many people working from home these days, IT teams have less control over the devices being used to access company networks and resources. Shadow IT in the remote working environment is running rampant as people have grabbed a hodge-podge of solutions to get work home. When they can’t get what they need or find what they need with company resources, they feel forced to find other alternatives.
It’s caused a myriad of security problems. Rather than using approved communication software, such as Microsoft Teams, people flocked to Zoom for video conferencing despite some security researchers calling it a “privacy disaster” during the early days of the pandemic. Many users failed to follow company security protocols and inadvertently exposed company data and networks to unnecessary risk.
It can feel like a losing battle. Even when everything’s in place, nearly a fifth of employees admit to not following security policies all the time. When Shadow IT is being employed, it’s an even bigger threat.
Managing, Monitoring, and Training
The best way to deal with Shadow IT is by putting in place systems to manage, monitor, and train employees on IT security.
Managing IT in a Distributed Workforce
Of course, the best approach is to use modern workplace tools, such as Microsoft 365, that provide a software suite to accommodate most business uses. When tools are tightly integrated, it makes it easier to work across apps and provides consistent data. It’s also easier to manage when everybody’s working off the same platform.
When workers are using company devices and working in the office, you have much greater control. You can restrict what software is installed. When they’re at home – especially if they’re using their personal devices – you’re giving up much of that control.
You can prevent any adverse action they take at home in a couple of ways:
- Using mobile device management software that segregates personal data and applications from approved company apps
- Requiring users to securely remote into their on-premises workstations and use app and access files just as if they were sitting at their desks
- Completely virtualize your operations in a secure cloud environment
No matter which approach you use, you need to pay close attention to identity and access management (IAM). Using the principle of least privileges, users should only have access to the software and data that’s necessary for them to do their job. This limits access in case an unauthorized user or threat actors gains access using their device or credentials.
Maybe the most critical role when it comes to data security is for developers. This is because they may have access to some of your most critical infrastructure. Compounding the potential for disaster is when those developers are freelancers. For example, let’s say you hire a PHP developer to help build new functionality for your customer facing app. That developer could gain access to things like sensitive customer data and backend software that’s critical to running your business. Even if they don’t have bad intentions, the third-party SaaS software they use can be the bridge that lets cyber criminals in.
IT teams should use a Zero-Trust approach for all contractors and employees, regardless of where they work. This requires an additional layer of authentication before users can connect to your network or critical applications. Consider two-factor or multifactor authentication if possible.
Monitoring Workflow for Remote Teams
Monitoring your network 24×7 to provide the visibility you need. Traffic logs can help identify which applications are running and who’s using them – or not using them. For example, if you’re company wants employees to use SharePoint for collaboration and you see that certain employees aren’t using it, you know they’re not following the procedures.
Monitoring helps you to:
- Identify user behavior and traffic patterns
- More easily identify threats (and respond)
- Discovering unauthorized assets
When you see an increase in employee’s use of Shadow IT, in particular, it can signal one of two things:
- You’re not providing the tools employees need to work productively
- Employees need access and training to the tools the company does provide
Either one deserves some attention.
Training Employees on the Risks of Shadow IT
When people are working from home – and often using their own devices – it’s much more difficult for IT teams to monitor their usage. Home workers often download free software from a variety of sources without asking for permission or thinking there’s anything wrong with doing it. Some of it contains malware. Other software might have flaws that can open your network to potential threats.
They’re also using their home internet or Wi-Fi connection and may or may not have routers or firewalls installed to filter traffic. Even if they are, they may not be configured properly. Firmware may be out-of-date or even end-of-life, which can create new attack vectors for threat actors.
Then, there’s the weak password problem. Despite the best efforts of IT professionals worldwide, people still use poor password security. Even if they take better precautions at work, many people aren’t doing it at home. That’s why passwords like 123456, 123456789, and password are still the most among the most commonly used passwords. This can’t continue.
A problem specific to Shadow IT is that employees may be using it to access company data, or plugging in data using a third-party application. You have no control over what happens to the data once they do or how seriously the app provider takes security. Now your data is at the mercy of an app provider that you haven’t authorized.
Not all Shadow IT is a high risk, but a lot of bad things can happen if users aren’t taking the proper precautions. You need to educate your employees on the risks their new work at home environment poses and provide guidance on how to mitigate the threat. This includes discussing the risks of Shadow IT and what software is acceptable for use.
How big a problem is Shadow IT in today’s remote work environment? Nearly half (47%) of IT professionals surveyed said shadow IT represents a major problem for their organization.
To mitigate the risks, IT teams need to focus on the three steps we’ve outlined; manage, monitor and educate.
Matt Shealy is the President of ChamberofCommerce.com. Chamber specializes in helping small businesses grow their business on the web while facilitating the connectivity between local businesses and more than 7,000 Chambers of Commerce worldwide.