By Alexander Moiseev
The mix of corporate and non-corporate web services at work is no longer a question – it is a reality. Different departments access numerous specific cloud services, while staff often use social media, file sharing, messengers and different SaaS-tools, because it is more convenient. To be precise, it happens in 92% of small and medium-sized businesses and 89% of large corporations, as revealed in Kaspersky’s recent global survey.
Kaspersky ‘IT Security Risks Survey 2020’ was conducted in July 2020, with 5,226 respondents surveyed in 31 countries globally.
The necessity of remote working during the pandemic made this practice even more commonplace. After switching to home offices, employees were challenged to get things done even if their IT didn’t provide them access to all corporate services. It also blurred the lines between corporate and personal life, so people started using corporate laptops to do things besides work – like playing games, streaming films, or even watching porn.
While it looks like this current behaviour is creating a new norm, a question still remains: what should businesses do about shadow IT? Let’s elaborate on the risks, rewards and possible solutions.
Why it’s important to watch out for shadow IT: data security
Authorised corporate services for communication, collaboration, file storage and sharing are supposed to be properly configured by company IT teams and have required level of access control, data protection, and incident management. It means a business has a good level of transparency and ensures that nobody outside the company can access the corporate space and its content (at least without advanced malicious tools).
When it comes to non-corporate services such as messengers, file sharing, email or a CRM, it is unclear if the data that employees share through them is safe. There are questions, such as whether workers are using strong passwords, how they access the service and from what devices, or who manages access if people leave the company.
It’s a natural human factor that an employee can just forget to set up a password or to limit the circle of viewers and editors for a shared document. Alternatively, applications can be exposed to malicious actions. Fraudsters can abuse or even take over users’ accounts through phishing or social engineering, like in 2019 when malicious actors abused the popular file-sharing platform WeTransfer. They sent malicious files through WeTransfer which when downloaded, redirected victims to a fake Microsoft Office 365 login page that grabbed login details if a victim put them into the form.
If shadow IT is inevitable, bring it to light
The radical approach against shadow IT is to block access to all non-corporate services. However, it may not always be realistic for every company, especially in this new working reality. Sometimes, this very shadow IT can help employees to do their job better so a ban can just affect business efficiency. In one example story, a VP paid for a CRM out of her own pocket, bypassing the authorised system suggested by her IT team. When the company was made aware, she faced disciplinary action, despite the fact that thanks to this CRM she was able to increase the company’s revenue by $1 million per month.
The balance is therefore crucial: it is important to not impose IT tyranny but also not expose a company to the risks. Instead of combat, businesses lead the process by making shadow IT come to light. But how exactly can they do that?
First, staff awareness about secure use of digital services – everything from corporate email to dedicated engineering software or even old good WhatsApp – is key to improve cybersecurity within the company. If there is a corporate policy that does not allow employees to share business documents through unauthorised applications, they should know about it. When managing any tools, employees should be aware of basic things – such as access and password management. They also should learn basic security rules, like not opening attachments or clicking on links in emails from unknown senders, not downloading software from unofficial sources and always checking the URL of web pages that ask for login details.
When speaking about cybersecurity it’s better to use the right tone of voice: not punish but educate, remind, test and remind again. Explain to your staff why it is so important and how it supports the business and their piece of mind. The team may continue using services for work, but it is crucial they follow the rules and do not violate data protection policy.
Secondly, it’s essential to achieve visibility over shadow IT and integrate it with corporate resources. There are dedicated tools that allow teams to manage access to public clouds. They highlight which services are used more frequently, which of them have the potential for data transfer and storage and how risky it is, and take necessary actions. This tool can be a stand-alone solution or integrated with an endpoint security. For example, with the help of such cloud discovery, we found out that YouTube is the application that employees access the most on corporate devices. YouTube does not provide options for file-sharing or any business data processing, so the risk is minimal. Unless watching YouTube videos affects staff efficiency, but this is another story.
Finally, it is important to have clear processes and the corporate culture should encourage employees to ask for improvements. A similar story to that VP and ‘shadow’ CRM can happen in any company. For instance, the IT team may be reluctant to consider incoming demands. They may simply not have enough time or resources, or the company itself may lack a corporate culture conducive to change. Setting up defined practices that help employees contact support teams and get help can be a way out. Even if the helpdesk cannot provide what is required, they should be able to consult on workarounds.
Shadow IT is so common because it’s human nature to always look for the easiest and the most convenient way to do something, including our work. It should be treated carefully, and these simple recommendations just show that organisations can manage them. This will not only reduce the exposure to data protection risks but also encourage better communication between the IT department and other employees. It also leads to another positive outcome: the trust of a company in its employees and vice versa.
(Alexander Moiseev is the Chief Business Officer at Kaspersky).