Shadow IT Adds to Remote Work Security Risks
The pandemic and resulting remote work have revived concerns surrounding shadow IT
Two of the biggest challenges for IT departments and digital transformation in 2020 were the move to remote work and cybersecurity. IT, security and leadership teams had to make sure all employees who could work from home had the equipment and technology necessary to do so and as safely as possible. This was often easier said than done.
Remote work revived the concerns surrounding unmanaged shadow IT. Shadow IT never disappeared, but WFH made it clear that having any unmanaged tech connecting to the network would create serious risk. According to new research from Snow Software, 72% of IT leaders and 52% of employees agreed that security is the biggest issue when it comes to unaccounted for and unmanaged technology.
However, while a majority of IT leaders felt their organization was managing, monitoring or securing their technology resources effectively, employees seemed slightly less confident. This seems like a flip from the norm, especially with security in remote work; you’d expect the security and IT teams to be the ones who worried that cybersecurity would be taken less seriously when workers shifted from onsite to home. And this creates a disconnect on how employees think about cybersecurity in all technology used, but especially in shadow IT.
Why Employees Are Turning to the Shadow
IT environments are complex, but remote wouldn’t have been able to happen as well as it did without digital transformation. At the same time, workers want something that is easy to use—technology they are familiar with. Enabling employees to do their job has to be priority No. 1 for any technology. The technology is there, but according to the report, IT overestimates how easy it is for workers to get the software, applications and cloud services they need to do their work efficiently. “This,” the report stated, “provides an opening for shadow IT and a lack of comprehensive governance.”
Employees, while showing greater respect for IT departments than ever before, are also frustrated with the amount of support they are able to get. “Their biggest frustrations were dealing with old and outdated technology (37%), getting support for remote work (33%) and getting support tickets resolved (31%),” according to the study. Again, these are issues that can lead to risk for the network and digital assets.
More About Productivity Than Security
But it appears that employees care about these issues more in terms of their own work productivity than they are about security.
“I believe employees, even those in technical roles, discount the impact their behavior has on the company’s security,” Alastair Pooley, CIO at Snow Software, said in an email comment. By way of example, he noted, “A recent use of Snow’s Risk Monitor tool during a review of outstanding vulnerabilities within a software customer found 46 out of 51 developers were still running old versions of Visual Studio 2019. This could be seen as understandable, as upgrading can break pipelines, but 25 developers were still running the 2017 version, complete with known vulnerabilities which have not been patched for a significant period of time.”
This is the kind of situation that gives CISOs and cybersecurity teams nightmares. Not only are these employees using old, unsupported software that opens up vulnerabilities for the company, but they also appear to be using the software as unmanaged shadow IT.
“When challenged,” Pooley said, “the team all claimed to have an exceptionally good understanding of security, but not one of them had gotten round to ensuring their own computers were up to date.”
IT employees tend to be better about this, as they have reporting, dashboards and data that gives them a broader perspective, he noted. And they also tend to keep personal computers more up to date—who wants their colleagues chasing them to update their systems? But it doesn’t excuse the shadow IT that is allowed to linger for other employees who know computers aren’t using software or applications with the most recent updates.
