With ‘social distancing’ a familiar term to most of us at this point, many companies have allowed their employees to work from home, given that the alternative is to cease operations entirely. But it brings a myriad of IT problems.
Simply speaking, ‘Shadow IT’ is the term used to describe the use of software or devices that IT has not approved or authorized. Whether you call it remote working, telework, telecommuting, or working from home, companies new to handling offsite employees need to consider Shadow IT and the potential operational and security risks involved. Some companies are experimenting with working from home for the first time and are unaware of the potential risks involved. The first step, in common with most business processes, is planning.
Planning for Remote Work
Ideally, in an emergency, working from home should only proceed once a detailed IT plan is in place to minimize risk. This plan should identify any potential issues and include solutions that reduce risk without compromising security. Protecting against Shadow IT requires everyone’s assistance, and the methods used will vary according to company policies and company ownership of connected devices, for example. To demonstrate such reasoning, the following list will state a potential issue and offer a possible solution in each case.
In no particular order, these issues could include but are not limited to:
1. Share Information With Users
Issue: Users are unaware of their security responsibilities.
IT is responsible for data and network security, among other things. Security measures are not an attempt to take control, demonstrate our omnipotence, or restrict productivity. While frustrated users are a hindrance, IT’s function is defined in their contracts, giving them official permission to reduce risk wherever possible.
Whatever the final plan is for remote workers is, and it’s decided with input from all departments, it must be shared with all users. It will also outline the reasons for the specific actions taken. Otherwise, staff will find workarounds on their own. For example, if the company does not want cloud storage used by remote employees, it will say so in the plan and indicate the sensible reasons involved. Once officially released, users can no longer claim ignorance of security policies for remote workers.
2. Data Governance
Issue: Data sharing outside the company network.
The company’s IT plan, no doubt, already includes data governance, given that all companies must comply with a variety of data privacy and protection laws, regardless of jurisdiction. Whether it’s due to e-discovery or compliance requirements, companies much know who accessed their data and when. In a remote environment, this is complicated by BYOD and in the current climate, possible use of equipment such as a family computer with shared access for all family members. Add the use of unapproved file sharing or storage services in the cloud, and you can see the problem. How can IT secure company data and monitor devices they have no control over?
It’s for this reason that most work from home solutions require a remote connection to the company network or via an approved platform such as Basecamp or (if teleconferencing is necessary, a trusted solution is selected). The data involved does not leave the system, and full traceability is maintained.
3. Level of Device Monitoring
Issue: IT does not have admin control of devices.
As a user, I’m firmly against allowing any company admin control of my device. However, many allow it, rolling out BYOD policies. IT admins can then achieve some control via partitioning and installation of device monitoring solutions on the company assigned partition. It is a better solution to provide staff with company-owned devices as full control is possible without apology or need for user permission.
4. Software Licensing
Issue: The number of software licenses does not match the number of installs.
While most companies disable software install permissions, when BYOD or personal devices are used, users sometimes install software to improve productivity. Generally, they lack malicious intent, but the fact remains that the company is liable if a licensing audit takes place. Penalties for offending companies could reach hundreds of thousands of dollars.
In addition, especially if the software is downloaded illegally, it could well contain malware to log keystrokes, obtain passwords, or allow access to your company network. Approved software solutions are insisted on as IT knows they are reliable and secure, as long as updates and patches are installed promptly. As a rule of thumb, if software is not listed as ‘Approved,’ then don’t use it. Mobile apps are included in this observation as even innocent-seeming apps or games could cause an unintended data breach.
5. Restrictions & Permissions
Issue: Users are actively using unapproved software and services despite warnings.
Generally, the last resort, as it means IT is policing users to ensure compliance with standard security practices. If IT has sufficient permissions on the device, they can create a blacklist of service providers. This can include file storage, VoIP software, or CMS solutions. Take it from me; this is frustrating for IT as it’s impossible to prevent users from finding alternative solutions and is a reactive solution rather than proactive.
6. Software Depository
Issue: Users are forced to find their own solutions as IT is slow to respond.
I must admit, on some occasions, users are correct in this observation. Some companies love red tape, with departments unrelated to the IT function (such as Finance) required to signoff on software acquisition. However, even when the software involved is free, delays still occur as IT prioritize tasks, often leaving common user requests in the pending pile. If IT truly wishes to eliminate Shadow IT company-wide and maintain data security when users work from home, then a software repository is essential.
It’s no surprise that users often go ahead and solve the issue themselves, even paying for the software on their personal credit card. Commonly known as the consumerization of IT, users no longer have the patience to deal with red tape and, in a few minutes, can have new software up and running. Security concerns become secondary to their own productivity.
This makes IT look bad and deservedly so, in my opinion. It’s not that difficult to create an approved list of software. Obviously, an install of Acrobat Pro, AutoCAD, or MS Office has a cost and license associated with it, and such requests should come from a department head, for example. Then IT can assign a license properly or recommend a free alternative.
However, many apps that enhance productivity are free, and these are easily gathered into a repository (or list of URLs for the latest version) for everyone to use. These include file viewers, converters, file compression, image editing (GIMP, for example) media players, and many more too numerous to list here. If users want to use a piece of software, let IT verify it, approve it if appropriate and add to the repository. Otherwise, don’t use it at all.
In conclusion, many of the issues facing IT when users are working from home remain unchanged if users are remotely connecting to the network. Company IT cannot monitor personal devices unless permission is given as part of a BYOD policy. This complicates matters, but IT can offer support, and the company could pay for antivirus and cybersecurity solutions for installation on devices they cannot monitor. If this is done, IT can relax a little, knowing that user devices are protected as much as possible from malware and other threats, in much the same manner as at work.