How shadow IT is making security threats darker in today’s world

The global shift to remote work at the start of the pandemic was swift. Within weeks, businesses had introduced various digital tools and technologies to facilitate work from any location. This accessibility was also extended to enable employees to work from any device – often using a mix of corporate-owned devices and Bring Your Own Device (BYOD) to perform daily tasks.

While these technologies focused on providing employees accessibility and simplicity, several challenges still hover over IT teams, who must ensure there is a robust security framework covering a large range of personal devices, corporate devices, and applications and programs that employees are using. To further compound this, more apps are moving to the cloud and more workloads are distributed across public clouds and Software-as-a-Service (SaaS).

This makes it challenging to secure and manage complex environments, especially considering the level of expertise that’s needed to handle the complexities IT teams face today. When asked to identify the top obstacles to enabling secure hybrid work, IT decision makers said they are prioritising bridging the cyber security knowledge gap (32 per cent) and managing the pace of digital acceleration with cyber security investment (29 per cent) to strengthen their organisation’s IT security.

The rise of Shadow IT

The prevalence of shadow IT – the unsanctioned use of corporate IT systems, devices and software – increased exponentially during the shift to remote work. Almost one in seven (68 per cent) IT leaders surveyed by Censuswide on behalf of Citrix are concerned about information security because of employees using shadow IT. More than half (54 per cent) said there has been a surge in employees installing unsanctioned software since the start of the pandemic.

Shadow IT is a challenge as it exposes organisations to data exfiltration, malware, phishing; it can open the door for hackers to steal employee and customer identities, steal company secrets and cause companies to fail compliance audits or violate laws. Since people go out of their way to avoid the IT department, shadow IT is tough to prevent, manage or control. With hybrid work and a rise in the use of BYOD devices, which are unmanaged and easily exploited by cyber criminals, data has never been more at risk.

How do organisations tackle this?

Organisations need to rethink their approach to security and to make it as seamless as possible for employees to access apps securely from anywhere, at any time and from any device.

VIEW ALL

In today’s environment, where work is done at an incredible pace, employees have turned en masse to shadow IT when the experience of work vis for corporate network is not fast enough, accurate enough or simply difficult to use. If an app doesn’t move as fast as needed, it’s not hard to bypass the normal processes and sign-up for a cloud-based service, leaving IT departments out of the process.

Corporate-managed devices are often the most secure way to provide remote access because IT teams have the most control. And if you give employees compelling apps, data and services, they will be less likely to buy and use shadow IT, giving IT teams back control and reducing complexity, while regaining control and improving security. However, the employee experience is critical.

A virtual workspace that is managed and delivered by IT teams can effectively place a bubble around the work, ensuring company data and apps are centrally managed, secure and the employee experience is not impacted.

This way, employees will only be able to access critical company data through corporate-approved virtual apps and desktops. It enables the zero-trust security framework to thrive as security controls enforce verification regardless of location or device. The zero-trust model is simpler to manage and more importantly, it significantly reduces the opportunity for shadow IT.

For example, desktop-as-a-service (DaaS) enables employees with authorisation to access their entire suite of applications via virtual desktops, in a secure, simplified way. A DaaS solution not only authenticates user access into the virtual workspace, but monitors user, application and network behaviour to ensure that corporate information remains secure, no matter where work is being done.

Communication is key

Many employees aren’t fully aware of the gravity of the cyber risks around remote work. But there are a couple of clear steps that IT leaders can take to help reduce the risk of shadow IT.

First, educate employees on the risks and what is at stake. Often, the most productive people buy and use shadow IT to speed up their work. But if they’re aware of the serious risks that come with unsanctioned technology, and how it can threaten their reputation, privacy and organisation, they’ll likely think twice.

Second, ensure teams are up to date on the latest training and security measures, that they understand best practice while out of the office, and that they ensure that their devices are patched and up to date before they set off. It’s the responsibility of IT teams to make employees understand how to spot fraudulent invitations, phishing attempts and other forms of online scams while working.

Finally, IT leaders should encourage employees to come forward and ask if they want to complete tasks using their personal devices or via non corporate apps. This will help keep IT teams in the loop and alert them against any suspicious activity. If risks are effectively communicated across the entire organisation – along with practical advice to combat dangers – it’ll reduce the security burden on IT teams.

Next steps

People today expect technology to be simple, convenient and easy to use. But the growth of hybrid work and expanded uses of different devices have increased attack surfaces. By deploying a unified, secure digital workspace service, organisations can simplify work, allow people to use the devices they prefer, while reducing the desire for shadow IT and the related risks associated with unsanctioned technology.

Martin Creighan is the managing director at Citrix Australia and New Zealand.