Tech choices: Balancing popularity with what's right strategically and operationally to secure the enterprise

clock • 5 min read

The scale and speed of the shift to home working and online collaboration during the pandemic has put a strain on IT departments.

Even many that were a long way into their journeys to adopting cloud platforms, mobility, and collaboration tools have faced the hardware challenges of getting laptops or tablets to employees en masse, or ensuring that the right applications are installed on them.

Others have had to ensure that identification and authentication are properly handled at scale as the IT perimeter widens to include insecure home wifi systems.

However, one of the hidden challenges for IT leaders in managing the organisation's pandemic response has been the growth of unsanctioned apps, tools, and platforms - so-called shadow IT.

Computing interviews with CIOs and IT managers since the crisis began have often revealed the uphill battle that some have faced in scaling up official channels.

For example, some have found that licensing limits, VPN limitations, or server capacity have meant that they are unable to use their preferred enterprise tools at scale to enable home working or video collaboration.

As a result, employees have often opted for the popular tools and platforms whose adoption became a viral behaviour in the early days of the crisis.

Their actions were completely understandable: in 2020, peer pressure and the widespread use of apps by friends and family members meant that those technologies were installed, familiar, and had swiftly become part of everyday life.

However, their usage may not have been officially sanctioned by the IT department, and may not always have been in line with company policy or data protection needs.

The challenge facing IT leaders, therefore, has been wanting to balance the use of popular tools that get the job done, keep people talking, and allow business to continue, with the need for tools to interoperate with enterprise systems and security practices.

IT managers don't want to be seen to stamp out the use of unsanctioned apps when they are so popular, especially if replacing them leaves employees grappling with apps that are less easy to use, perhaps, or running on infrastructures that might be struggling under the extra workload.

Last year, one CIO in a major local authority told Computing of his struggles when scaling up the officially sanctioned enterprise communications/collaboration platform. "Like a lot of our remote infrastructure, it wasn't built for the load once everybody started working from home. Quality of calls was causing problems," he said.

"You've got to appreciate that once you put such a load onto an IT system, the problems start surfacing. All the things you ignored because they weren't an issue when you were running at 50 percent [remote working] rather than 90 percent.

"For example, it showed the cracks in the VPN. Things that we would never have seen if we weren't hitting really high percentages on the network. Unfortunately, we were also moving providers for our wide-area network. None of us saw this coming. We plugged our way through it, but operationally it was difficult."

While all that was going on, many employees opted to use popular cloud apps instead, he said, compromising the official channels.

It is hardly a surprise that in such an environment many employees default to using the same popular apps as their friends and family, more often than not in public clouds and over insecure networks. But when this happens it can cause security risks, especially if employees fail to be rigorous in obeying official guidelines.

So how big a problem has shadow IT been? A Computing survey of 150 leaders during the pandemic found that ensuring that remote workers follow security protocols and processes has been a problem for many: 55 percent of respondents.

The increased vulnerability of remote workers was cited by half of IT leaders, while the wider attack surface/perimeter and the associated problems of device management, patching, and communication were each identified by over one-third of respondents.

Shadow IT itself was seen as a core challenge by 34 percent of IT leaders, with nearly one-quarter of respondents mentioning a mix of different security tools and approaches as the organisation made the difficult transition to remote work at scale.

Regulatory compliance was lurking in the responses too - identified by one-fifth of IT leaders. Other factors include: tracking and managing cloud assets; the fragmented response to incidents by a physically separated security team; insecure networks; and inadequate backup and recovery systems.

This is why IT leaders need to balance popularity with strategic and operational need.

Security is always the underlying issue, found Computing. Moving from a central office environment to a dispersed one has widened the attack surface for many businesses.

Organised criminals and opportunistic hackers have certainly used the pandemic to deploy new social engineering techniques, some of which exploit this more lax environment.

Technical solutions play a vital role in maintaining cybersecurity, but the social, organisational, and human factors are just as important. Organisations must look beyond their traditional perimeters, and work together - just as criminals are doing - to ensure a safe, secure internet.

The conclusion is that popular doesn't always mean secure. Organisations should beware of abandoning common sense in a quest to keep staff happy and productive.

It's a tough call to make, but a sensible one as we all move past the reactive stage of the crisis and into the more proactive, planned, and strategic one.

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

'Gay furry hackers' breach conservative US think tank behind Project 2025

'Gay furry hackers' breach conservative US think tank behind Project 2025

Heritage Foundation calls group "degenerate perverts"

Tom Allen
clock 11 July 2024 • 2 min read
Why 'change' for the UK must include cybersecurity

Why 'change' for the UK must include cybersecurity

Labour needs to to get ahead and demonstrate a commitment to security from the outset

Rick Jones
clock 11 July 2024 • 4 min read
Mammoth Microsoft Patch Tuesday fixes four zero-days, five critical bugs

Mammoth Microsoft Patch Tuesday fixes four zero-days, five critical bugs

142 holes plugged this month

John Leonard
clock 10 July 2024 • 3 min read