As the COVID-19 situation develops, businesses are scrambling to adjust to the new reality of remote work. The sudden nature of this shift has meant IT teams are ill-prepared for the security implications of remote working.
One such risk is shadow IT – the use of apps and services by employees without the knowledge or oversight of your IT team. In our recent look at the risks of shadow IT, we saw that a remarkable 63.5% of workers had created at least one shadow IT account in the 12 months prior to our survey.
Right now, the use of shadow IT is only likely to increase as people find new workflows to replace old ones that are suddenly unfit for purpose. And people will be all the more tempted by extended free trials offered in the spate of home-working caused by coronavirus. Even the simple act of having a face-to-face conversation needs an app now.
Banning the use of shadow IT isn’t practical, and doing so could stifle productivity and innovation in your organization. People will always find a way around imposed limitations out of the commendable desire to get things done. In this post, we’ll look at how to mitigate the risks posed by shadow IT when working as a remote team.
Risks of shadow IT
Let’s quickly recap the risks posed by shadow IT. The nature of these risks doesn’t change due to remote working, particularly. But the risks become more relevant than ever as use of shadow IT increases in light of remote working.
You don’t know where your data is. If you don’t know what services your team are using, you don’t know where sensitive company data, or that of your customers, could be lurking. If one of those services is breached, you won’t know that data has been compromised.
You don’t know who has access. In the event someone leaves your company suddenly, it can be hard enough closing the work accounts you do know about, let alone the ones you don’t. Former employees could retain access to data to share with competitors.
Poor password practices can go unchecked. As people sign up for new accounts, they may use weak passwords or reuse old passwords. Credential surfing and password reuse are the most common ways attackers gain access to your confidential information.
Reducing those risks
Shadow IT sounds scary, but with a few common sense steps, you can reduce the use of necessary shadow IT, and mitigate the risks associated with the rest.
Cover the basics. When you work remotely, everyone is going to need a handful of basic services to get things done. Make sure you provide ways for your team to communicate in writing, video call, collaborate on documents, prioritize tasks and share information securely. If you already use an identity provider, choose tools that work with it so the team already has a means of securely signing in without creating their new passwords.
Be nimble and amenable. It’s not shadow IT if you know people are using it. Encourage people to share what tools they’re using. Existing policies that prohibit new services may be too stringent for newly remote teams. Investigate the tools people are using, and suggest better, safer alternatives where appropriate. Say yes rather than no to new tools where you can.
Encourage a culture of common sense. People will appreciate any leniency you can offer when it comes to IT tools, and will be prepared to meet you half-way when it comes to how they’re used. For most day-to-day communication and work, it may not be necessary to use or store sensitive company or customer data. You can let people know they’re free to use certain tools provided sensitive information isn’t shared.
Raise awareness about online security. Make sure your team is informed about online security when remote working. They should know that online attacks and scam such as phishing and CEO fraud pose an increased threat at the moment. Everyone should know the importance of using strong, unique passwords and two-factor authentication wherever possible.
Use a password manager. Make sure everyone has access to a business password manager like 1Password that can create and store strong passwords. This means that if people do ever need to create an account, they can make sure it’s as safe as possible, and can easily access the credentials if they need to delete the account or update the password in future. Ideally, choose a password manager that allows secure sharing of passwords and other important information so people have the means to do this safely as the need arises – it almost certainly will.
Consider apps carefully. If it’s an option, always speak to your IT team before trying a new app. If you are ever tempted to use a new one, take care to choose a safe app from a reputable source. Download the app from a recognized app store if possible. Check what permissions the app needs, and avoid apps which ask for permissions that don’t make sense, or seem more invasive than they need to be.
Be a good work citizen. As an employee, reward the trust placed in you at this time by being careful which services you choose to use and how you choose to use them. Keep track of any services you use and share details with your IT team. Don’t share sensitive data outside of approved channels. Be sure to delete data, or replace it with dummy data, from any accounts you no longer need, closing or deleting the accounts themselves when you’re done.
Here’s where to start
Perhaps the single-most important step you can take to mitigate the risks posed by Shadow IT is to make sure your team uses a password manager to create, store and share strong, unique passwords. We’ve made 1Password Business free to use for 6 months to help companies make the switch to remote working.