Remote Work and Shadow IT – How to securely support WFH policies
The mass exodus away from the office during the peak of COVID-19 during the spring and summer of 2020 has proven difficult for companies to reel back in. With desires to work from home and keep flexible work arrangements at the top of demands, workers are fueling the “Great Resignation” with calls for companies to enshrine WFH and remote work policies well into the future.
But as companies wrestle with this new reality, they must ask how they can keep their business data and systems secure.
Does increased remote work mean increased risk?
Employees around the world can today work from nearly anywhere. As they travel, so does their work, with their own personal laptops, mobile phones, WiFi connections, and personal accounts (e.g. Google, Zoom, etc.) allowing them to take their virtual offices nearly anywhere they are.
With each of these variables comes loss of control and visibility, two essential components at the core of any secure company’s IT strategy and best practices.
We’ve written about how 40% of WFH employees admit to using non-approved collaboration and communication tools on their work machines. And while 85% of employees believe their companies track their technology usage, the truth is that most are not capable of doing so, which has potential dire consequences.
Our partners at BitSight began tracking potential troubles with WFH and security at the height of COVID-19. Their findings include the fact that home networks are 3.5x more likely than corporate networks to have at least one family of malware. Likewise, in people’s connected homes, more than 25% of all devices have one or more services connected to the Internet.
In follow-up research, BitSight reports that even company-issued devices aren’t necessarily secure depending on use. In this case, BitSight found that 52% of company-issued devices were used by family members of employees. As these devices interact with other systems in the house–everything from TVs to dishwashers–the exposure to five distinct families of malware jumped up to 7.5x more than could be exposed on a corporate network.
Shadow IT and remote work
What many managers see as a remote work, WFH, or Cloud computing issue is really a Shadow IT issue. Shadow IT, or the connection of devices, services, apps, etc. to a company’s network without the company’s IT team being aware of it, is an inherent risk for any business. Malware from infected USB drives or errant clicks from a phishing email were cybersecurity issues even when everyone was in the office.
However, as employees use devices on external networks and–perhaps more importantly–mix work and personal computing habits (and accounts), the risk to organizations and their networks grows exponentially. As a result, WFH is a unique Shadow IT vulnerability.
Read more: What is Shadow IT?
However, as remote work becomes more desirable and acceptable, businesses can’t always simply demand workers only work in the relatively secure environment of an office or on-premises network. Instead, managers need to weigh the pros and cons of risk, educate their employees, and take proactive steps to secure their data and networks even as devices and access are spread globally.
Our partners at Netskope have put together a pragmatic guide for when to grant remote work to employees while still putting security at the forefront. Among other things they advise employers to ensure, they note the need to discover user actions, access to cloud applications, forward proxy deployment, and inspection of cloud IT services through DLP as some key thresholds that employees and IT professionals need to agree to before remote work can be considered truly safe.
Areas to secure to prevent Shadow IT issues in remote work
As CISOs and IT managers can attest, there is no one way to completely secure a network. However, with multi-layered strategies covering company accountability, industry standards, and government compliance come the need to be as secure as possible, which means Shadow IT is a blindspot that has to be considered at even the most entry level of positions.
Here are some key areas to consider when planning your
Shadow IT protections in light of remote work and WFH demands:
- Physical devices – All Internet-accessible devices including computers, phones, and USB and Bluetooth devices should be secure upon leaving the office. Employees should have regular check-ins with managers and IT team members to ensure their devices are up to date and/or enabled with security software or user tracking such as Netskope offers.
- Employee education – Employees at all levels should be enrolled in continuing education modules and discussions around cybersecurity. Specific threats, policies, and best practices should be discussed before, during, and throughout the amount of time a given employee is working remotely.
- Cloud services – Communication and collaboration services like WhatsApp, Gmail, or Google Docs should be regulated. Many such services utilize SSO across multiple sites, and even services that offer everyday encryption can be compromised, meaning
- Video services – Similar to the Cloud services mentioned above, video conference platforms like Zoom or Gong, and related VOIP services, should be regulated. Employees should be given access to and held to only using company (as opposed to personal) accounts on these platforms.
- Apps – Apps, especially on mobile devices, often request access to users’ contact information (and in some cases, files, location, etc.) As a result, apps on company devices should be treated as part of the enterprise stack, and should only be allowed once vetted and approved through formal IT processes.
Managers cannot singlehandedly prevent Shadow IT issues. However, as remote work continues to be a modern reality in most industries, it is team leaders’ responsibilities to take nothing for granted when allowing company data, devices, and employees to work beyond the secure confines of an office.
In the same way that you wouldn’t allow someone to make unlimited spare keys to your home, managers should ensure that the doors they control are secure
If you'd like to learn more about reducing Shadow IT and protecting your cloud vendor network, we can help.
