This is the second in a series of four posts about shadow IT, including how and why teams use unapproved apps and devices, and approaches for securely managing it. For a complete overview of the topics discussed in this series, download Managing the unmanageable: How shadow IT exists across every team – and how to wrangle it.
High productivity levels are generally a good thing. For most organizations, the answer to the question, “Is it important for your employees to be productive?” is a resounding “Yes!” However, when employees ask to use a tool or app to boost productivity, companies may want to say “yes”, but often find themselves saying “no”.
What gives? Security concerns. And they’re legit. Companies are in the midst of experiencing a brave new world called hybrid work. Gone are the days of on-premise servers, software, and devices (and employees) that were relatively straightforward to manage and secure.
Now knowledge workers can get things done in coffee shops and their own living rooms. Companies turn to cloud services to support flexible working with “access from anywhere” apps and online collaboration tools, collectively known as software-as-a-service (SaaS).
Employees have become much more likely to select these cloud services and apps (not all company-approved) to get their work done. While hybrid and remote work was slowly starting to become a thing before, the pandemic accelerated it, and here we are.
So the million-dollar question is: If employees want to use their preferred apps and tools to be more productive, how can companies leverage this employee productivity while still protecting themselves from cybersecurity risks?
And what does worker burnout (the opposite of employee productivity) have to do with the IT department’s security strategy for shadow IT?
Quick review: What is shadow IT?
The first post in this series, What is shadow IT and how do I manage it?, explains what shadow IT is and what it may look like across different company departments.
To recap, here’s a quick definition: Shadow IT refers to the apps and devices that aren’t licensed and managed by a company.
These aren’t obscure apps used for nefarious purposes. Examples of shadow IT can be anything from Google Docs to social media. The issue is that employees may enter company information or client data in them and, if they log in with a weak or reused password, it can cause vulnerabilities that may result in a data breach.
A changing work environment: Securing the new perimeter
This new hybrid, cloud-based work environment and employee experience requires a shift in companies’ security strategy. There are no walls. Instead, security and IT teams are managing a nebulous perimeter that’s constantly shifting and often spans the globe. In The new perimeter: access management in a hybrid world, we highlight four key considerations for securing the new perimeter of a hybrid workforce:
- To address shadow IT, start with identity. 70% of data breaches involved an identity element in 2023. Identity issues, which include stolen passwords, are expected to be even worse in 2024, increasing to as much as 90%, according to Forrester.
- Secure access to managed and unmanaged apps. Any number of employees are using multiple devices to access all sorts of apps and websites during their workday. An enterprise password manager (EPM) ensures that employees use strong passwords no matter what they access and on what device. Companies can set their own minimum security requirements, and the EPM will ensure that every sign-in, on every device, meets those requirements.
- Minimize security stack costs. Single sign-on tools (SSO) are great for managing access to the software and tools IT knows about, but aren’t enough to corral shadow IT. And the costs of putting more apps behind SSO can add up. It takes time for implementation and custom configuration, plus there’s typically an additional charge to place most apps behind SSO (the “SSO tax”).
- Debunk the false tradeoff of workforce productivity versus security. Employee productivity versus security doesn’t have to be an either-or choice. In fact, it can’t be, because it’s a futile exercise to try and stop shadow IT at your organization. It’s everywhere: In one study, 85% of employees said they knowingly broke cybersecurity rules to accomplish a task. Instead, the challenge is to find ways to secure each individual employee’s preferred ways of working.
Full-spectrum shadow IT challenges: Employee productivity to worker burnout
Productive employees. Burned-out employees. At the opposite ends of the spectrum, yet both contribute to the risks of shadow IT at companies everywhere.
At one end, employees are using shadow IT to help them increase productivity levels or do their jobs better. A Gartner survey shows that we’re using twice the number of apps we did in 2019, and use continues growing.
At the other end of the spectrum are employees who are being stretched too thin. And it’s not a few outliers. A 1Password report on burnout revealed that 80% of office workers feel burned out, and one in three workers say burnout is affecting their initiative and motivation levels.
It’s worth noting that this research was conducted during the height of the pandemic, when we’d expect burnout levels to be particularly high – but it’s also worth noting that we haven’t solved burnout since then.
In addition to the obvious physical and mental health effects, worker burnout can present a severe, pervasive, and multifaceted cybersecurity risk. This is because employees who are feeling burned out can be more lax about following security protocols. They also are more likely to use shadow IT. Here are some additional eye-opening findings from the 1Password report:
- 3 times as many burned-out employees as non-burned-out employees maintain that security policies “aren’t worth the hassle” (20% vs. 7%), regardless of incentives.
- A 21-point gap separates those who are burned out (59% of whom say they follow their companies' security rules) from those who are not (80% of whom say they follow the rules).
- 60% more burned-out employees than non-burned-out employees are creating, downloading, or using shadow IT (48% vs. 30%).
- 59% of burned-out employees have poor practices when setting up work passwords, compared to 43% of non-burned-out employees.
Why is this so concerning? In addition to the important concerns about human health and employee well-being, burnout and resulting low levels of employee engagement negatively affects adherence to security protocols.
Bottom line? Nobody wins when an employee is burned out. When workers are so tuned out that they’re less likely to follow security rules, and more likely to use weak passwords or fall for phishing scams, it increases cybersecurity risks.
Cybersecurity team burnout risk
Adding complexity to the challenges of securing the new perimeter, it turns out (surprise!) that IT/security professionals aren’t superhuman. The 1Password report shows that they’re experiencing burnout in even greater numbers than the general employee population (84% vs. 80%).
While 89% of security professionals say they favor security over convenience, they also admit that they take shortcuts. For example, they use shadow IT (29%) or work around company policies to solve their own IT problems themselves (37%) or because they don’t like the company-approved software (15%).
Even more worrying, security professionals are twice as likely as other workers to say that due to burnout, they’re “completely checked out” and “doing the bare minimum at work” (10% vs. 5%).
That’s not good news, especially if a company has a reactive approach to managing shadow IT that depends on the vigilance of team members and their ability to quickly respond to problems.
Take a proactive approach to managing shadow IT
As security professionals know, prevention is often more effective than protection. Taking a proactive approach to managing shadow IT – securely enabling it – is the only viable path forward.
It starts with understanding employee productivity, workflows, and potential security vulnerabilities in every department. A next step is working to secure the “path of least resistance” for all employees at the individual level so they can use the apps and tools they need to boost productivity.
The good news is, by securing credential sharing and standardizing how access to tools happens, you also protect your organization against lax security practices and behaviors.
Next, we’ll explore how to identify shadow IT, what it may be used for (such as project management, social media, productivity tools, and file sharing), and common vulnerabilities for different departments, including Finance, HR, Engineering, and Marketing.
To learn more, follow this series on the 1Password blog exploring shadow IT over the next few weeks or download the ebook: Managing the unmanageable: How shadow IT exists across every team – and how to wrangle it.
Tweet about this post