Employees are increasingly using their own devices and accounts to work from home – largely because it’s easier to do so. Yet this rise in ‘shadow IT’ puts corporate security at risk.
Remote working has introduced a cluster of headaches for organizational IT teams, with security being perhaps the biggest.
With employers having lost oversight on IT practices and under-equipped workers having to make do with whatever work-from-home setup they’ve got to hand, organizational networks have become a patchwork of devices of varying quality and security standards – meaning shadow IT is on the rise.
Shadow IT refers to the use of devices, systems and software outside of those permitted by an organizational IT department. According to new research by software company Forcepoint, more than a third (37%) of UK employees are now relying on shadow IT at home, increasing companies’ exposure to cybersecurity risks.
The use of personal devices appears to be one of the biggest culprits: 48% of respondents admitted to using their own devices to access work documents and corporate networks while working from home. Meanwhile, 34% of employees reported using private email or file-sharing cloud services for work purposes – again against the advice of employers.
One reason for employees turning to their own devices for work could simply be that their employers haven’t equipped them with the necessary equipment to get the job done.
SEE: Identity theft protection policy (TechRepublic Premium)
According to a recent report by O2 Business, 42% of UK workers still
needed to do their job, while around a third have yet to be provided with a laptop or desktop PC for work.
While professionals are using personal devices for work, Forcepoint found that the opposite was also true: 41% of respondents admitted to using employer-provided devices for personal purposes, while 21% admitted that they allowed other members of their family to use them too.
Forcepoint determined that the main reason workers were relying on shadow IT was simplicity. Thirty-three percent of respondents said it was easier to perform certain job duties using personal or private platforms, while 32% said organizational IT policies made it difficult to do their job.
Dr Margaret Cunningham, principal research scientist at Forcepoint, said workers were more likely to use shadow IT if it offered a shortcut to productivity. “People in home offices usually use shadow IT not out of malice or carelessness, but to be more productive,” Cunningham said. “You won’t be able to stop them from doing that.”
Forcepoint’s findings echo those from a survey by security software provider Trend Micro in 2020, which found that employees often
if they felt they could get the job done quicker by doing so.
Yet only a quarter of respondents to Forcepoint’s survey – which sampled 2,000 adults in the UK and Germany – felt that technology had been a barrier while working from home, with Forcepoint suggesting that remote working had had a psychological impact on employers that resulted in them taking more IT security risks.
“Lockdown has been a stressful time for everyone, and while employers have admirably supported remote working with technology and connectivity, the human factor must not be overlooked,” said Cunningham.
“Interruptions, distractions, and split attention can be physically and emotionally draining and can negatively impact performance. This often materializes in risky behavior which can jeopardize a company’s cybersecurity, and Shadow IT can introduce significant risks.”
Organizations appear to have mostly stepped up their efforts to inform staff about
Forcepoint found that 59% of respondents had received additional training or reminders about IT security since 2020.
Yet Cunningham suggested that remote working should be taken as an opportunity for organizations to re-think their IT security policies for a landscape in which shadow IT is likely to remain pervasive.
“Companies should therefore no longer approach IT security exclusively at the system level. Shadow IT can in fact lead to great innovation and improved productivity, and black-and-white policies simply blocking access will only lead to more workarounds,” she said.
“The focus should be on uncovering shadow IT uses and re-setting policies where required, but also and most critically, ensuring that critical data is defined and appropriately protected as we continue in our new patterns of remote and flexible working.”