How to Handle the Risks of BYOA/BYOD and Shadow IT
Are BYOD/BYOA rules and shadow IT putting your organization at risk? Find out how to tackle them better.
Shadow IT and bring-your-own-device (BYOD) to work have become an accepted part of today’s corporate culture. But, companies need to be wary of the insider risk that accompanies these tools designed to increase employee productivity, discusses Armaan Mahbod, director of security and business intelligence at DTEX Systems.
It’s a well-trod troupe that the shift to hybrid work has extended companies’ security perimeter from being able to lock things down inside the firewall to having to meet employees’ needs whenever and wherever they are. Part of that extension includes how people view company-issued assets, like laptops. Until home offices became the norm, most employers, after being issued a company laptop, didn’t mess with the default settings set by the IT department.
That is no longer true. Recent research has shown that there has been a notable increase (55%) in employees using unsanctioned applications on company machines. People do this for several reasons. One is that as they are working from home and as home life bleeds into work life, the apps that they would normally keep separate on their personal machines are now used in home offices on work machines. Additionally, an explosion of applications, such as new browsers with interesting features or applications with persistent clipboards that enable information access across multiple devices, has improved the usability of work machines.
While the uptick in available tools has helped employees increase productivity, not all of this Shadow IT from bring your own applications (BYOA) is benign. Unsanctioned applications that are not vetted and approved by corporate IT and security teams pose a major security risk for businesses. This is because these tools haven’t been tested thoroughly to determine if the applications are susceptible to compromise or have particular functionalities that enable an individual to steal IP from the business. Furthermore, many companies are still trying to figure out what apps they should allow and which ones they should ban and don’t have policies in place that help their employees know which applications they can use or IT to know what apps they should ban. This gray zone creates what should be an unacceptable risk for most organizations.
The Dangers of Unsanctioned Apps
Most organizations block unsanctioned instant messaging apps, especially for compliance reasons, preferring applications that leave an auditable trail of things that were said. But companies aren’t as staunch about blocking external email programs, which can be an easy method for a malicious actor to exfiltrate sensitive data by simply copying something into the clipboard, tossing it in the email program’s draft folder, and retrieving it later on a personal device.
Some users have taken to downloading less common third-party browsers. These browsers can contain encryption via a Tor package, making it easier for unscrupulous employees to purloin information if they’re considering leaving the organization for a different position. Additionally, workers who are concerned about the increasing pace of workforce reductions and scared their number will be called may want to exfiltrate documents that will help them in their next job.
Perhaps the greatest danger to organizations comes from applications that have universal clipboards. In these apps, a person might use their business machine to put something on a clipboard to transfer it from one application to another for a job-related activity, but that information can also be accessed from home when they are on their personal machine using the same application. This is a security risk for a few reasons.
Most people’s personal devices aren’t nearly as secure as their business machines are, and people are more relaxed about their security profiles while on their personal machines. Employees recognize that they have business-critical information on their employer-owned machines but aren’t as concerned about the information stored on their home machines. With employees who are careless, this information could fall into the wrong hands or be inadvertently exposed by a spouse who has access to the same device. For people who actually want to do bad things like exfiltrating information that they should not, these universal clipboards make it easy for them to appear to be involved in an activity that furthers the business’s objectives while actually engaging in a process that allows them to surreptitiously copy sensitive data.
See More: Mobile Two-factor Authentication: Get Ready for the Next Phase
Mitigating Risk
For the most part, people download applications to make their lives easier. They, by and large, bear no ill intent for their employer. But regardless of an individual’s intent, companies need to take steps to manage this new source of risk, the shadow IT that comes from BOYA, and they need to do it while maximizing employee productivity and happiness.
To reduce insider risk, it is important for organizations to better define expectations, making it clear what applications can be downloaded and which are forbidden. Companies need to set policies that clearly articulate what types of applications can be downloaded onto a user’s machine.
Suggestions for Vetting Shadow IT
Shadow IT apps can improve worker productivity and, if vetted properly, should not carry a security risk.
To vet apps, IT should look at the company providing the application. Where is the company located, and does that company have a holistic security program in place? If a vulnerability is discovered in the code, historically, how quickly have they fixed it?
When looking at the application itself and how it could impact inside risk and threat, IT should ban tools that can do research and reconnaissance across the network looking for open files, open shares or gaps in the corporate network. IT should also investigate whether the application has the capabilities to bypass security controls or disable them. Does the application have built-in exfiltration capabilities like persistent clipboard history, FTP functionality or built-in file sharing?
Let Employees Make Suggestions
In addition to IT having clear guidelines about what is not acceptable downloading, they should create a system so the workforce can also point to the tools they want and require the business to review those tools for potential security risks. This two-way communications stream will help improve productivity and security.
As organizations can be very widespread with broad job roles and requirements, companies should allow employees to raise the need for more niche tooling if they believe their role benefits from the application. It is important to give individuals pathways to advocate for why an application is best for their job role. Over time this also provides IT and the business with insight into the tools that can maximize value for their business.
Let Them Download, But …
Like remote work, Shadow IT is here to stay. Employees have gotten used to customizing their machines to improve productivity. In some cases, nefarious individuals take advantage of this BYOA culture to exfiltrate information. Organizations need to have policies in place that vet applications users think will help maximize productivity.
In a tight labor market where people can work from wherever they want, maximizing employee productivity and happiness are critical to a company’s bottom line. But that can’t be at the expense of security. Companies should understand the value add that these BYOA tools are bringing to the workflow of their employees, but they need to be mindful of the security implications.
How are you managing the security risks that come with the benefits of shadow IT and BYOD/BYOA? Share with us on Facebook, Twitter, and LinkedIn.
MORE ON BYOD
