For decades, enterprise technology teams have had iron-fisted control over what applications, devices, and solutions were deployed throughout the enterprise. Employees had little—if any—access to alternate solutions that could align better with their specific work requirements, other than what the IT teams had dictated. However, today’s astute workforce has platforms to solve virtually every conceivable problem at their disposal, with nothing more required than an email address and (sometimes) a credit card, and this fact is fundamentally transforming how companies must look at risk.
While most organizations would admit that “shadow IT” was a rising concern pre-pandemic, the blind eye that many employers turned during the two-plus years of work-from-home has significantly exacerbated the issue. The challenge of under-sized VPNs, outdated authentication practices, and the general inconvenience of long-term remote access has prompted employees to find whatever workaround they could, simply to make their day-to-day life easier.
Now that all those employees are returning to the office, the services and functionality they have grown accustomed to are also coming into the infrastructure. The dual challenge of that movement involves first integrating the known services that they require (such as Zoom and Microsoft Teams) into the infrastructure, and second trying to determine what additional unknown services that are being used.
The crux of the issue boils down to the risk of employees storing sensitive information, be it business plans, marketing strategies, customer or patient records, or credit card data, in an unsecured third-party environment. Historically, policies have prevented using such solutions, resulting in security teams attempting to use web gateways or proxies to limit employee access to these services, with only moderate success.
While we could chastise employees for violating policies that they should have known, the fact is, they were simply making decisions based on the inadequacy of what they were given to work with. Technology implemented presuming its use would be within the corporate network is suddenly inadequate when employees are far-flung. However, deadlines are still in place and deliverables must be delivered, leaving employees no other choice than to leverage external services.
As all of those employees come back into the office, they are bringing their Smartsheets, LucidCharts, Jira, and Zapier functionality back into the office as if it belonged there. Discord chats are resolving production issues, WeTransfer is delivering marketing content to third parties, and DropBox has a year’s worth of sales and client reports.
Too often, as people who tend to think of risk first, security teams are quick to blame users for not doing what they are “supposed” to be doing. However, when the average user needs to choose between meeting a deadline and making their boss happy, or following security protocol, they will almost always choose the former. After all, performance reviews are evaluated by on-time deliverables, revenue generation, and customer satisfaction—but usually not on adherence to security processes. No one should be surprised when employees make decisions based on productivity rather than risk.
Interestingly, while many organizations are now adopting these previously forbidden services, they continue to struggle with moving their employee base from the insecure versions to the approved ones. The primary reasons for employee reluctance are twofold: they are comfortable with what they have, and they don’t know how to register for or use the new service.
The bottom line here is that employee decisions are a huge piece of the cybersecurity puzzle, and that curation and guidance of these decisions must be closely considered.