Many employees mentioned about IT department’s delays or refusals to approve needed solutions, leading them to deploy unauthorised tools without IT’s knowledge. It is known as shadow IT, that poses a serious threat to organisational security, particularly when coupled with the widespread use of personal devices
A report by Kolide and Dimensional Research, mentioned that around 75 per cent portion of workers use personal phones and laptops for work purposes. Nearly 50 per cent of the surveyed companies allow these unmanaged devices to access protected resources, raising concerns about cybersecurity in the workplace.
The survey, which included 334 responses from IT, security, and business professionals, shed light on the reasons behind this trend. Many employees mentioned about IT department’s delays or refusals to approve needed solutions, leading them to deploy unauthorised tools without IT’s knowledge. It is known as shadow IT, that poses a serious threat to organisational security, particularly when coupled with the widespread use of personal devices.
Kolide researchers emphasised the heightened risk of breaches when production-level work is conducted on personal devices. Security flaws in unmanaged devices can be exploited by malicious actors, as demonstrated in the infamous LastPass breach occurred in March 2023. Moreover, the loss or theft of a personal device containing sensitive information can escalate , especially if there are no resort of wiping are available.
“When engineers do production-level work on personal devices, an organisation’s risk of a breach skyrockets. A bad actor can use a security flaw in an unmanaged device to break into the production environment, as in the Last Pass breach. Even a simple mismanagement of a laptop can turn into a unavoidable risk if that laptop is full of Personal Identifiable Data, and IT has no way to remotely wipe it,” Kolide researchers noted
The report also highlighted discrepancy in existing security policies, with only 47 per cent of respondents claiming to always follow them. This suggests that current policies may not effectively address employees’ needs or adequately mitigate risks. Researchers highlighted the need of dialogue between employers and workers to better understand the behind IT policies of the organisation.
The survey also concluded that security training is ineffective and need increased diligence . An overwhelming 96 per cent of respondents expressed a desire for improved training, indicating a genuine interest in learning safe behaviours.
The widespread use of personal devices for work purposes underscores the need for organisations to reassess their security policies and invest in comprehensive training programs. By fostering open communication and addressing employee concerns, businesses can better safeguard their sensitive data and mitigate the risks associated with shadow IT.