One of the most important aspects of maintaining a healthy network infrastructure is establishing a secure information perimeter. This means keeping sensitive, privileged business data in your environment and keeping compromising information out. Of course, employees love the convenience that smartphones and tablets bring to their personal lives. So, it’s no wonder that people have come to expect those same conveniences in their work lives. However, many BYOD policies don’t account for this expectation and it results in a serious IT security threat for the business. So, what is a company to do?
BYOD Policies Explained
Many companies try to discourage their staff from using personal devices for work purposes by adopting Bring Your Own Device (BYOD) policies. However, even with BYOD policies in place, workers are circumventing corporate security policies at an alarming rate. According to CEB Global, 90 percent of employees admit to ignoring corporate security policies if there’s a compelling reason to do so. A recent Infosecurity Magazine article stated, “Almost two-thirds of employees report regularly using personal technologies for work, primarily for the sake of convenience. For example, most workers confess to sending a file from their company computer to a personal email account so they can work while not in the office.”
Increasingly ubiquitous cloud applications like Google Drive, Dropbox, and Microsoft OneDrive, along with the move towards greater collaboration, is driving this dangerous trend. In addition, if a company’s security policies are perceived as onerous, employees may find workarounds. After all, how many managers would accept the excuse, “I couldn’t finish my deliverable because I was following the security policy”? The problem is not the BYOD itself. It’s that companies don’t provide any reasonable alternative for employees to securely access company resources from remote locations; yet, they expect employees to work outside of normal business hours to complete their tasks on time. This often creates a culture of mistrust and perpetuates what is known as a shadow IT environment.
What is Shadow IT?
Most employees have good intentions: They want to be productive and excel in their roles. However, timelines may be short and employees may need quick access to hardware or applications not readily available in their division or even within the company. In certain cases, the IT group may be shorthanded and employees aren’t able to wait for assistance. Sometimes, it’s because the security protocols for requesting access to new resources haven’t been communicated effectively to the group. And most of the time, there are not reasonable alternatives in place for accessing resources remotely. This is when employees begin sending files to their personal email addresses so they can complete projects on their computer at home. After all, there is a deadline to meet!
Bypassing BYOD policies results in a culture of shadow IT when employees take it upon themselves to get the technology they need on their own to complete a task by circumventing IT security protocols. Any device or application that hasn’t been vetted by the company’s IT organization introduces security risks to the whole business. The impact can be as minor as constricting bandwidth or as major as throwing the company into noncompliance. In addition, document version control is lost, and data may not be properly secured, backed-up, or archived.
Preventing Shadow IT
IT organizations have mixed feelings about shadow IT. Some worry about the creation of data silos and increases in malware and exploits coming from unsecured devices. Others see it as a controllable, logical extension of the speed of today’s business and feel that it feeds innovation. Regardless of your organization’s stance, shadow IT is undeniably risky. But there are three ways to prevent such a culture:
- Talk to your IT organization and employees to find out what devices and applications people really need to do their jobs well and how they’re using company-provided technology.
- Adopt cloud technologies, such as Software-as-a-Service (SaaS) applications including Microsoft Office 365, Adobe Creative Cloud, and Salesforce.com for example.
- Embrace an open-door policy. If you know your company has a shadow IT culture, consider a grace period for workers to bring devices or applications into the corporate IT structure without repercussions.
The best approach to eliminating shadow IT is to provide a secure alternative that is just as convenient as using a personal device or application. You can create a secure environment that helps your workers be productive, even if they telecommute or travel for the job. All Phases IT’s managed services experts can help. Contact us today to learn more.