Companies, especially VSEs / SMEs, were not all ready to switch to telework during the first confinement. Many of them were therefore catching up during the third and fourth quarters of 2020, by providing laptops to their employees.
Such an investment is not painless for treasuries that are already strained. As a result, Shadow IT was able to develop. As a reminder, this term designates the use of personal terminals and applications outside the governance of the IT department.
Safety awareness to reduce risk
Shadow IT can thus lead employees to circumvent security policies, increasing security risks. According to a NinjaRMM study of 800 teleworkers in the EMEA zone, 36% of them were thus equipped at their own expense with digital equipment and tools.
In addition, 41% of them admit having to bypass their company’s security policies to do their job. Finally, 18% of the employees surveyed declare personal use of their professional tools. So many uses likely to expose the company to an attack. Should we therefore ban Shadow IT?
If employees only have their personal terminals to work, it is unthinkable. This practice should therefore be made as secure as possible. This requires, in particular, training and security awareness – also valid for a fleet of company PCs.
To help VSEs and SMEs, Anssi, the state security agency, provides employers with numerous resources, including guides and videos. This toolbox will allow them to inform them about the challenges of digital security as well as the first steps to acquire, including at home.
Employees who are aware of the risks will adopt safer behaviors. They must therefore be made aware of the need to update their applications, reducing the risk of compromising the terminal, then the company’s network by ricochet.
Strengthen access control on BYOD
Safety training is an essential step, but not sufficient. It is coupled with additional protective measures. The deployment of strong authentication is increasingly imperative, including for Shadow IT access to cloud services such as file storage. And this authentication can be reinforced during access from a personal terminal – as it applies in a zero trust approach.
The compromise of customer data hosted on such a service would constitute a breach of the GDPR. Even if this use is beyond the control of the company, it remains responsible for it. However, it is preferable to keep the data in a single space controlled by the IT department, for security reasons, but also for backup. In either case, strong authentication will reduce the risk of data leaks.
Another measure to implement: compartmentalize professional and personal through a security bubble. The more uses and users of the same personal computer multiply, the more the risks increase. The employee must, if possible, limit the use of the computer used for work. It is not always possible. Preferably, the employee will connect to a virtual workstation or a remote office.
To reduce the risks, the remote connection will also be conditional on access control, an analysis of the terminal’s compliance (up-to-date OS, anti-virus enabled, etc.), or the implementation of communication encryption ( VPN). In all cases, the CNIL recommends “making the use of personal equipment subject to prior authorization from the network administrator and / or the employer”.
By imposing this prior information, the IT will have visibility of the terminals connecting to the network and its resources. Personal devices can in this way be governed via an MDM (Mobile Device Management) solution, allowing security policies to be applied.