Why Educating Employees is Key to Preventing the Risk of Shadow IT

Written by

Picture this: a senior executive is on a tight deadline and needs to submit a proposal to a key prospect within minutes. However, the file is large, their emails are bouncing back and the clock is ticking. So what happens next? As is all too common, the file is uploaded to a consumer cloud storage provider and then shared through their platform. Sound familiar?

Some employees might read this and agree they would have done the same. After all, the proposal needed to be submitted and the employee found a solution.

However, they may not have considered how this risked the theft of their organization’s property.

Recent research – commissioned by Citrix and carried out by Censuswide – revealed that a significant proportion of workers care less about the security of their organization’s files than their own. For example, nearly half of workers (45%) admitted they use passwords to protect their personal files but only a third (35%) do the same for work. What’s more, 68% claimed they dispose of and shred unwanted personal documents, compared to just two in five (40%) in the office. Finally, only around half of workers (54%) claimed they immediately delete suspicious-looking emails received at work.

From IT’s perspective, these statistics are potentially alarming. Yet, 90% of the same workers said they believe data protection is important for their company. So why aren’t staff practicing what they preach when it comes to data security?

Sometimes it can be hard to understand and identify the cause of staff behavior. Often though, it comes down to convenience. People generally want to succeed at work and the example above shows they will innovate in order to get the job done, but in doing so they can inadvertently put company data at risk.

The Online Trust Alliance (OTA) analyzed over 1000 data breaches from 2014 and concluded that as many as 90% of them could have been easily prevented. Studying data breaches that involved the loss of personally identifiable information, it found that those breaches could be attributed to one of four causes: 40% by external intrusions; nearly a third (29%) by employees, either accidentally or maliciously; 18% by lost or stolen devices or documents; and over one in ten (11%) by social engineering or fraud.

So how can we, as the IT department, prevent staff from behaving in a way that could put data at risk? For me, this requires a three-pronged approach:

Invest in technology: give staff secure tools that are easy to use, so they remain productive and efficient. That way, people are less likely to ‘go rogue with shadow IT’ and risk data vulnerabilities. Providing secure and seamless delivery of apps and data is the best way to ensure staff keep data safe at work. However, investing in technology is only the first step.

Improve internal education: it’s simple – staff need to know where to find the right tools, and what to do when they get stuck. Just provide an internal web page with a one-page list of enterprise services – e.g. ‘to do that, use this’ – and a cheat sheet for each service. There are two reasons why most organizations try but fail here. One, the information isn’t kept up to date. Be rigorous about this. Two, success attracts hangers-on. Before long, every department will want to add their latest corporate news to your popular page. Fight them off; this is about staff getting their job done, and keeping them on the safe path – nothing else.

Provide a safeguard: lost and stolen devices can put corporate data at risk. However, investing in services, such as mobile device management, enables organizations to manage and control mobile devices used to access resources. This technology provides a safeguard to organizations – ensuring that data is stored securely in the cloud, malicious apps are made inaccessible to employees and intruders are unable to access a missing device.

Attack vectors are changing, cyber-attackers are becoming increasingly sophisticated and corporate data is more at risk than ever. By placing a focus on educating staff about protecting information – underpinned by the secure delivery of data and apps across all platforms – enterprises will take a large step towards keeping the hackers out.

What’s hot on Infosecurity Magazine?