The mass exodus away from the office during the peak of COVID-19 during the spring and summer of 2020 has proven difficult for companies to reel back in. With desires to work from home and keep flexible work arrangements at the top of demands, workers are fueling the “Great Resignation” with calls for companies to enshrine WFH and remote work policies well into the future.
But as companies wrestle with this new reality, they must ask how they can keep their business data and systems secure.
Employees around the world can today work from nearly anywhere. As they travel, so does their work, with their own personal laptops, mobile phones, WiFi connections, and personal accounts (e.g. Google, Zoom, etc.) allowing them to take their virtual offices nearly anywhere they are.
With each of these variables comes loss of control and visibility, two essential components at the core of any secure company’s IT strategy and best practices.
We’ve written about how 40% of WFH employees admit to using non-approved collaboration and communication tools on their work machines. And while 85% of employees believe their companies track their technology usage, the truth is that most are not capable of doing so, which has potential dire consequences.
Our partners at BitSight began tracking potential troubles with WFH and security at the height of COVID-19. Their findings include the fact that home networks are 3.5x more likely than corporate networks to have at least one family of malware. Likewise, in people’s connected homes, more than 25% of all devices have one or more services connected to the Internet.
In follow-up research, BitSight reports that even company-issued devices aren’t necessarily secure depending on use. In this case, BitSight found that 52% of company-issued devices were used by family members of employees. As these devices interact with other systems in the house–everything from TVs to dishwashers–the exposure to five distinct families of malware jumped up to 7.5x more than could be exposed on a corporate network.
What many managers see as a remote work, WFH, or Cloud computing issue is really a Shadow IT issue. Shadow IT, or the connection of devices, services, apps, etc. to a company’s network without the company’s IT team being aware of it, is an inherent risk for any business. Malware from infected USB drives or errant clicks from a phishing email were cybersecurity issues even when everyone was in the office.
However, as employees use devices on external networks and–perhaps more importantly–mix work and personal computing habits (and accounts), the risk to organizations and their networks grows exponentially. As a result, WFH is a unique Shadow IT vulnerability.
Read more: What is Shadow IT?
However, as remote work becomes more desirable and acceptable, businesses can’t always simply demand workers only work in the relatively secure environment of an office or on-premises network. Instead, managers need to weigh the pros and cons of risk, educate their employees, and take proactive steps to secure their data and networks even as devices and access are spread globally.
Our partners at Netskope have put together a pragmatic guide for when to grant remote work to employees while still putting security at the forefront. Among other things they advise employers to ensure, they note the need to discover user actions, access to cloud applications, forward proxy deployment, and inspection of cloud IT services through DLP as some key thresholds that employees and IT professionals need to agree to before remote work can be considered truly safe.
As CISOs and IT managers can attest, there is no one way to completely secure a network. However, with multi-layered strategies covering company accountability, industry standards, and government compliance come the need to be as secure as possible, which means Shadow IT is a blindspot that has to be considered at even the most entry level of positions.
Managers cannot singlehandedly prevent Shadow IT issues. However, as remote work continues to be a modern reality in most industries, it is team leaders’ responsibilities to take nothing for granted when allowing company data, devices, and employees to work beyond the secure confines of an office.
In the same way that you wouldn’t allow someone to make unlimited spare keys to your home, managers should ensure that the doors they control are secure
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|