Over the last decade, there has been a significant shift in how we work. The explosion of cloud and “as-a-service” technologies has made it easy for anyone within an organisation to both purchase and use preferred applications, often without intervention from IT. Whilst many cloud tools enable enhanced levels of sharing and collaboration, an improvement which has transformed how we all work, it has also affected the dynamic between meeting user needs and ensuring IT department control. This has led to a massive increase in access to technologies not provided by IT, which brings additional challenges to any business wanting to control security and operational risks. A responsive IT department will recognise that they need to enable workers to, wherever possible, access the applications they wish to work with without putting the organisation at risk. A “can do” attitude will encourage workers to continue to involve IT departments. This is critical for businesses and they need expertise from IT when it comes to security, compliance and cost management.
The relationship between workers and technology
Workers can be significantly invested in the technology they use every day, and those emotional ties can put them at odds with IT and, perhaps more worryingly, the best interests of their organisation. According to a recent survey of global workers, 41% of employees will avoid involving IT when seeking to access to professional software and applications that they feel are essential to doing their job. In addition to this, of those responding to our survey, most have accessed work assets on their personal devices.
Technology is being democratised and decisions are being decentralised. Yet, as with any systemic transfer of power, an organisation’s IT infrastructure can quickly descend into chaos if employees, IT teams and decision-makers don’t collaborate. Unapproved or unauthorized cloud-based applications may open the organisation’s corporate network and sensitive data open to cybercriminals. It is clear that IT professionals must find ways of working in ways which are seen to be supportive to workers and their preferences. It is my view that the negative term “shadow IT” should no longer be used and instead this expansion of technology should be seen as the new normal.
The impact of seniority vs rank and file
To effectively manage today’s workforce, business leaders need a comprehensive understanding of the different groups of workers and how to best utilise their knowledge and experience.
When looking solely at rank within the organisation, managers or higher are almost twice as likely to use unauthorised professional or personal software or applications. A staggering 93% of executives acknowledged that such behaviour causes issues for the business, but more than half (57%) avoid IT when accessing professional software and apps. Entry-level employees surfaced as the most well behaved, with 38% reporting they never access software or applications on their work device without IT’s consent.
Even though executives admit that they should know better, knowledge clearly isn’t enough. When faced with such risky technology behaviour, visibility and understanding of the scope of the problem is a critical step towards identifying a feasible and efficient solution.
Preparing the workforce of the future
Broadly speaking, different generations perceive technology, and how they use it in different ways. So called millennials have grown up with technology and are often more adept at incorporating technology into their personal and professional lives than previous generations. These “digital natives” are moving into leadership positions (and more importantly, buying decision roles).
Having grown up with computers, smart devices and a largely connected world this generation naturally expects workplace technologies to mirror the technologies they use in their educational and personal experiences. 81% of millennials admit they have used or accessed unapproved technology or assets on their work device without ITs permission. Millennials are therefore almost twice as likely to adopt unauthorised technology compared to other generations.
Millennials are also exponentially more emotional about asking for permission to access software in the workplace. Compared to older workers, they are more than four times as likely to feel it is beneath them and over three times more likely to believe it is an outdated concept.
Tech is only part of the issue
To help manage employee behaviour and encourage proper device usage, best practice would be to rely on a combination of approaches including:
- Security awareness education: ongoing training and communication to your organisation’s workforce are required to communicate risks such as browser hijacking, ransomware and malicious software downloads. This helps to educate staff on what is appropriate and what crosses the line. It’s important to make this training tangible and avoid hours of compliance style videos.
- Visibility of the organisation’s IT estate: it is important that businesses understand what employees actually use day-to-day and week-to-week in order to spot both unauthorized usage and software installed on end-user devices. If there is an unapproved tool which is being widely used across an organisation, it may be worth the IT team considering investing in the tool or investigating and providing an authorized alternative.
- Implement active controls: through the use of unauthorized or unapproved technology, employees can create security issues for an organisation. It is therefore critical that security remains strong. Review your active controls at the network perimeter or with anti-virus vendors to try and prevent malicious downloads or employees visiting known piracy sites.
To summarise: In today’s digital environment, it is clear that our relationship with work and technology has changed and worker expectations are increasing. As the guardians of both the security and reliability of their organisation’s technology ecosystem, it is up to IT to find a balance between empowering a new, more demanding workforce whilst also serving and safeguarding the business’s needs.
Chief Information Officer
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.