Sep 21 2023

Shadow IT: Security policies may be a problem

Category: Security policydisc7 @ 3:13 pm

Shadow IT A Clear and Concise Reference

A recent report by Kolide and Dimensional Research has disclosed that three-quarters of employees resort to utilizing their personal and often unmanaged mobile devices and laptops for work purposes, with nearly half of the surveyed companies permitting such unmanaged devices to access secure resources. The report, based on responses from 334 IT, security, and business professionals, highlights the diverse motivations behind this practice, with three specific reasons indicating that a substantial number of employees use personal devices as a means to circumvent their organization’s security policies.

The dangers of shadow IT

The prevalence of shadow IT in enterprise environments is a well established fact.

When the organization’s IT department refuses to sign off on a needed solution or they drag their feet when asked to approve it, workers in other departments are tempted to deploy it without the IT workers’ knowledge.

The problem is compounded by the widespread use of personal/unmanaged devices, as the IT department has no way of knowing what’s happening on them, whether they are regularly patched/upgraded or whether they have been compromised.

“When engineers do production-level work on personal devices, an organization’s risk of a breach skyrockets. A bad actor can use a security flaw in an unmanaged device to break into the production environment, as in the LastPass breach. Even a simple smash-and-grab of a laptop can turn into a nightmare if that laptop is full of PII, and IT has no way to remotely wipe it,” Kolide researchers noted.

Employees shouldn’t be blamed for flawed security policies

Workers use their personal devices for work to (among other things) access websites and applications that have been restricted by the IT department, and because getting through security measures is frustrating.

This, and the fact that only 47% of the pollees said that they always follow all the cybersecurity policies, shows that the security policies in place are not working for all.

“Unfortunately, we don’t have data on which specific policies respondents felt justified in going around, but we can make two inferences from this response: Any security policy that workers can ignore at will does not have adequate safeguards around it, and if workers who generally try to follow the rules ignore a security policy, either they don’t understand the risks associated with a specific behavior, or the policy itself is flawed,” the researchers said.

Employers and workers need more open, honest dialogue about security, they pointed out. Security and IT professionals must make an effort to understand why workers feel they have to go around policies.

Finally, the results of the survey also debunk the myth that security training is useless and a despised nuisance.

“In the strongest data point of our survey, 96% of workers (across teams and seniority) reported that training was either helpful, or would be helpful if it were better designed. The message here is that people want to be educated on how to behave safely,” the researchers concluded.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory


Tags: Shadow IT

Leave a Reply

You must be logged in to post a comment. Login now.