Shadow IT: Security policies may be a problem

3 out of 4 workers use personal (and often unmanaged) phones and laptops for work and nearly half of companies let unmanaged devices access protected resources, a recent report by Kolide and Dimensional Research has revealed.

When asked why they use personal devices to do company work, the 334 IT, security and business professionals polled offered a variety of reasons, including three that show that many employees using them to get around their organization’s security policies.

The dangers of shadow IT

The prevalence of shadow IT in enterprise environments is a well established fact.

When the organization’s IT department refuses to sign off on a needed solution or they drag their feet when asked to approve it, workers in other departments are tempted to deploy it without the IT workers’ knowledge.

The problem is compounded by the widespread use of personal/unmanaged devices, as the IT department has no way of knowing what’s happening on them, whether they are regularly patched/upgraded or whether they have been compromised.

“When engineers do production-level work on personal devices, an organization’s risk of a breach skyrockets. A bad actor can use a security flaw in an unmanaged device to break into the production environment, as in the LastPass breach. Even a simple smash-and-grab of a laptop can turn into a nightmare if that laptop is full of PII, and IT has no way to remotely wipe it,” Kolide researchers noted.

Employees shouldn’t be blamed for flawed security policies

Workers use their personal devices for work to (among other things) access websites and applications that have been restricted by the IT department, and because getting through security measures is frustrating.

This, and the fact that only 47% of the pollees said that they always follow all the cybersecurity policies, shows that the security policies in place are not working for all.

“Unfortunately, we don’t have data on which specific policies respondents felt justified in going around, but we can make two inferences from this response: Any security policy that workers can ignore at will does not have adequate safeguards around it, and if workers who generally try to follow the rules ignore a security policy, either they don’t understand the risks associated with a specific behavior, or the policy itself is flawed,” the researchers said.

Employers and workers need more open, honest dialogue about security, they pointed out. Security and IT professionals must make an effort to understand why workers feel they have to go around policies.

Finally, the results of the survey also debunk the myth that security training is useless and a despised nuisance.

“In the strongest data point of our survey, 96% of workers (across teams and seniority) reported that training was either helpful, or would be helpful if it were better designed. The message here is that people want to be educated on how to behave safely,” the researchers concluded.

Source: https://www.helpnetsecurity.com/2023/09/20/shadow-it-security-policies/