Rogue applications at work – do you reign them in, stamp them out, or put policy around them?

Daniel Hayes Head of Cyber Security Linkedin Profile
Rogue applications at work – do you reign them in, stamp them out, or put policy around them?

Why people use rogue applications for work – and what to do about it.

Let me know if this sounds familiar? Employees in your business are circumventing IT policies and installing their own applications onto their devices or the corporate network, and with so many of us working remotely because of COVID-19, the issue has become a significant one for organisations of all sizes. If yes, you’re officially part of the Shadow IT club.

In a recent survey, a whopping 80% of workers admitted to using SaaS applications at work without getting approval from their IT department.¹ 25% of workers also said they were using several unapproved tools outside of the official IT policy.²

And worryingly, 61% of CIOs said they’re seeing an increase in risks due to the use of non-enterprise devices and software as more people work remotely.³

brennanit_blog-rouge_applications_management_1113_350

Why do people go rogue?

Even though it sounds horribly sinister, shadow IT is not generally done with bad intentions. More often than not, it’s a result of employees wanting to find a way to work faster or more effectively than their other corporate applications permit them to. It may sometimes be the result of having an IT team that’s too slow to respond to requests or a situation where employees feel they simply cannot get their job done with the tools they have at hand.

Of course, sometimes, employees simply aren’t aware of their company’s IT policies, or that there is an existing application that will do the same thing as a non-authorised application they are about to install.

Why is it problematic?

While individual applications themselves may not technically pose a problem, there are several unfortunate consequences of shadow IT.

These can include:

  • Security risks: Due to the applications being outside of the organisation’s corporate security framework, and therefore, not controlled by the IT department, the application may have undesirable traits which make it a security risk. Essentially, this means corporate data is likely to be stored or transmitted to and from uncontrolled locations. I’ve also written about the risks associated with borderless working here.
  • Maintenance and visibility issues: IT can’t maintain and update applications that they’re simply not aware of, or which aren’t officially approved by the business. As a result, security and governance issues can quickly appear.
  • Lack of integration: In the majority of cases, applications that are installed by individual users don’t integrate with the other applications and systems that the employee uses on a daily basis, and inefficiencies can therefore grow. For instance, if the business uses Microsoft 365 and Teams for chat, but certain employees are using WhatsApp, they’re unable to easily share files or link material. Over time, and multiplied by many users, this can become a significant issue.
  • Lack of centralised data: Similarly, if a wide range of different applications are being used, there’s no central and reliable store of data, which means opportunities for efficiency and consistency are missed.
brennanit_blog_shadow-it_02_1113_347

What can be done?

Perhaps most obviously, businesses need to educate employees regarding their company security policies and what is required of them. Adherence to security policies needs to be an intrinsic part of the company and employee culture.

Providing robust IT support is also critical in avoiding shadow IT. If there is an effective line of support available, employees will be far less likely to take matters into their own hands.

Also, IT teams need greater visibility and insight regarding what’s happening on their network, and where. Too often, IT teams simply don’t have any insight when a new application or solution is implemented, which is fraught with risk. There are a number of tools available to help teams identify when inappropriate or unsanctioned platforms are in use. IT teams should review the options and deploy the most relevant for their environment.

In an ideal world, all employees should be provided with modern, up-to-date hardware and software so that they can do their job without requiring any new tools of their own, but this isn’t always possible from a budget perspective. Employees may have very specific preferences regarding the types of devices they use, and the applications they install on them, and not meeting these preferences may impact their ability to work effectively.

Ultimately, tackling shadow IT comes down to the board and senior leadership teams, who need to put feasible and sound policies in place. People are like water and will always find the easiest way around a barrier, so policies need to be flexible and realistic. Once policies are in place, employees need to receive training and education, so they’re fully aware of their rights and responsibilities – especially when working from home.

Talk to the IT Security Experts

If you want to learn more about overcoming the issue of shadow IT in your business, don’t hesitate to get in touch.


Article Sources