person walking on a pathway with a shadow
PHOTO: Rene Bohmer on Unsplash.

For many employees, bring your own device (BYOD) to work has become commonplace. Employees regularly access work-related software and information from a range of personal devices, from phones and tablets to personal computers.

The rise of remote working added extra emphasis to the trend. In many cases, companies have implemented policies that allow employees to bring their own devices and connect them to the corporate network.

Typically in enterprise businesses, the IT department is responsible for evaluating and approving devices and software before employees are allowed to use them. This frustrates some employees, who feel that approved devices and software have limitations and feel compelled to bring in their own unapproved devices or install software on company devices, often without IT's knowledge or approval. Some examples include team-based use of productivity apps like Slack, Asana or Zoom, messaging apps like WhatsApp and Snapchat, physical devices such as external drives or thumb drives, cloud storage via Box or Dropbox, and communication apps like Telegram and Skype. 

But the rising tide of bring-your-own software, applications, cloud services and storage in the enterprise has some IT departments concerned about security. What' happening is the creation of a shadow IT system filled with applications and devices installed by employees without approval. With that reality in mind, it's time to re-evaluate the benefits and risks of BYOD.

Remote Work and BYOD

Rachel Bush, director of cyber security incident response at Nationwide, said that while most of the world was focused on COVID and enabling remote work, others were focused on taking advantage of the situation to commit cyber crimes.

“There were a number of companies who rushed into BYOD models without adequate advance preparation," she said. "Unfortunately, we’re also seeing threat actors take advantage of lax security controls. 2020 has brought a huge rise in ransomware attacks, most of them leveraging phishing to gain an initial foothold to a single compromised endpoint. Many of these phishing campaigns have leveraged the pandemic as a subject matter to get the initial click out to a malicious site for payload distribution or credential harvesting.”

For many enterprises, the cat it out of the IT bag so the focus has shifted to how to best manage the situation. Shadow IT is going to be a way of life going forward as organizations realize the benefits, said Asanka Abeysinghe, chief technology evangelist at WSO2. "As enterprise IT expenditures will continue to occur outside of corporate budgets in the coming years, the solution to shadow IT and the rapid growth of BYOD will be empowered IT and mobile device management," he said.

A report from Gartner suggests that businesses are embracing shadow IT to reduce content sprawl and improve their resilience after the pandemic ends. According to a recent survey from Bitglass, 76% of businesses have BYOD policies for their employees, as they believe it increases employee mobility, organizational flexibility, efficiency and collaboration. Those businesses that supported BYOD before the COVID-19 pandemic were much better prepared to move to a fully remote workforce.

James Ford, chief evangelist and commercial lead at Intact, said shadow IT is inevitable due to the impact of COVID-19. Businesses have been forced to adopt a BYOD policy to enable their workforces to operate from home. But that doesn't mean giving up control.

"It should be said that even though members of the workforce need to use their own devices, they do not have to use their own ungoverned applications to carry out their work," he said. "In fact, IT teams should proactively look to implement cloud solutions which enable workers to securely access and work with company data. A properly implemented cloud solution will provide IT teams with centralized and connected security for all business applications the worker is authorized to access."

Related Article: The Growing Importance of Data Management in the Digital Workplace

The Benefits of Shadow IT and BYOD

Shadow IT increases productivity, drives user adoption, provides a better user experience and allows employees to perform faster and more efficiently, Abeysinghe said. "It also opens the door for employees to create their own innovative solutions as well as rapid application development, which is essential for agile or digitally driven organizations,” he said.

Entrust Datacard recently surveyed 1,000 IT professionals and found that 77% believe their organizations could gain a competitive advantage by embracing shadow IT solutions. Nearly half of employees who use their preferred technologies felt more productive and 45% felt more engaged. Surprisingly, 40% of those surveyed said that they were more likely to remain with a company that supported their choice of technology, and 40% were also more likely to adhere to IT security requirements.

Matt Modlin, managing delivery architect at Capgemini North American Cloud and Edge Center of Excellence, said the issue with shadow IT isn’t whether to allow it as much as being able to recognize it and mitigate the security risk.

“Shadow IT is born out of human desire for more enjoyable and easier experiences and an employee user experience with IT is no exception, but employees often do not know or realize the security risks posed by shadow IT and the consequences that can result," he said. "It is likely that almost every business has shadow IT to some degree, especially with the expansion of work from home and remote IT, the march toward cloud services and proliferation of IoT and other endpoint devices."

Embracing shadow IT brings advantages to businesses in a fast moving environment. It can allow a business to move faster to market, especially if its centralized IT function isn’t well adapted to meeting the needs of the business quickly, Nationwide's Bush said.

"If a business sees its competitors really changing the landscape with new services or products and can’t leverage its centralized IT to deliver a competitive product in a reasonable amount of time, shadow IT may become the only option to remain relevant," she said. "Too much red tape and bureaucracy without adequate attention to the needs of the business can unfortunately drive shadow IT.”

An effective BYOD policy also increases employee engagement because of the flexibility it brings. “Don’t care for the corporate equipment? Bring your own! Don’t want to carry a second phone so you can be on call? Use your own phone for both! It can also bring cost savings for the business, and help with scalability,” Bush said.

“Companies with a BYOD model already in place had less complexity to deal with when shifting to a work-from-home setting during the pandemic. They were already used to a variety of endpoints connecting remotely and they didn’t have to deal with large-scale provisioning of new equipment to enable a remote workforce,” she added.

Related Article: Is Your Business Data Safe in Slack and Microsoft Teams?

Zero Trust and Shadow IT

Shadow IT can pose a risk to organizations as they migrate data and IP without proper governance, which can lead to security and non-compliance issues, Abeysinghe said. Storing and using data in unmanaged storage centers can also result in lost data, limited usability across employees and customers, and even duplicate data across business units.

The Bitglass report indicated that when it comes to BYOD and shadow IT, 61% of businesses are worried about data leakage, 53% are concerned about unauthorized data access, and 51% are worried that malware could infect unmanaged devices. These are legitimate concerns and businesses need to implement solutions that mitigate those risks. A recent Forbes Insights survey indicated that 20% of businesses surveyed have experienced a security breach due to an unsanctioned IT resource. 

“Regardless of the device and where it is located, businesses should focus on ensuring they have a vendor-agnostic, zero-trust security governance, risk and compliance model,” said Modlin. “This will establish the needed standards, policies and security controls to lessen enterprise risk. It can be accomplished with protective controls around the most common attack vectors (network, device, identity, data, applications)."

"The question then becomes: Does the business have enough visibility into shadow IT to manage it? By not knowing what’s in your environment, you’re not updating, patching, protecting, monitoring nor auditing all of the devices and services in your environment, and instead, are putting them all at risk.”

Zero trust policies, based on the principle of “never trust, always verify,” protect businesses by using threat prevention. The concept was developed by John Kindervag while he was vice president and principal analyst for Forrester Research based on his belief that traditional security models operate on the outdated assumption that if a device or software resided inside a business' network, it should be trusted.

“BYOD definitely carries risk," Bush said. "You’re essentially creating an environment where the endpoint is meaningless to your security. To do that well, you need to excel at protecting data at rest and in transit. You also need strong identity and access management."

"Zero-trust security is the goal. Most companies aren’t quite there yet. The last thing you want is an endpoint that lacks strong security controls or monitoring along with the ability to pull down copies of sensitive corporate data to a local drive. That’s a recipe for disaster."

BYOD is certain to grow in popularity because of the flexibility, scalability and engagement it brings, Bush said, and companies need to protect data, manage identities and access, and implement zero-trust. When that's done, the endpoint access is irrelevant.

Related Article: A Simple Risk-Driven Decision Technique

Threat Detection and Management in a Shadow IT Environment 

Shadow IT, by its very name, is technology that IT is largely unaware of. This presents a problem when it comes to detecting threats, Bush said.

“The foundation of IT service management and security incident handling is strong IT asset management," she said. "It’s hard to secure technology you’re not even aware of, let alone monitor it for anomalous or malicious activity, or be prepared to contain a threat if it materializes."

Containment depends on an IT department's ability to detect a threat and having visibility into the system. "When shadow IT is deployed, it’s often not done with the level of maturity that would be required to maintain appropriate security and keep vulnerabilities out of the environment," Bush said. "It’s definitely possible to federate IT and put decision authority for technology into the hands of the business, but doing it securely still depends on centralized governance and processes to enable the tracking and management of risk.”

While there are upsides to both shadow IT and BYOD, there are also substantial risks and challenges, said David Levine, vice president of corporate and information security, and chief security officer at Ricoh USA, Inc. "By definition, shadow IT is happening outside of governance of IT and security — and likely legal and procurement departments, as well," he said.

Levine said potential issues include:

  • Lack of appropriate contract terms and conditions: This puts the company at risk for financial exposure, litigation, regulatory fines, security and privacy.
  • Vulnerability to breach or downtime: IT and security’s lack of involvement in configuring, securing, patching and maintaining equipment, solutions and services creates weak spots.  

“With BYOD, the company does not own the device, so getting an employee to both understand and comply with what is necessary for them to safely use the device for corporate purposes can be a significant challenge,” Levine said. “As with shadow IT, configuration, patching and security controls all have to be managed and maintained. Determining how that’s done with employees’ own devices in a way that is acceptable to employees, who are frequently concerned about privacy, can be difficult at best."

If you have a finite number of corporate-provided devices, smart, secured BYOD support is manageable, he said. "That said, supporting every possible device out there at large scale is near impossible,” he added.

Levine suggested the best way to enable it relatively seamlessly is to use virtual desktop technology so company data never actually sits on the endpoint device.

Mitigate Risk With Technology

Being proactive and aware of how shadow IT is being used in a business puts companies in a better position to mitigate risks. Abeysinghe recommended taking strategic measures to reduce the associated risk. Self-service digital platforms such as application platform as a service (APaaS) or enterprise integration platform as a service (EIPaaS) allow organizations to enforce empowered IT and increase agility. Identity and access management solutions that leverage multi-factor authentication and identity analytics can make sure data stays secure while remaining user friendly.

"Technology that enables proactive discovery can allow organizations to mitigate the security risks of shadow IT faster and continuously,” Bush said. “Additionally, constant communication and collaboration between developers and IT teams can reduce the bottlenecks around speed and flexibility often brought forth by shadow IT. By adopting these approaches, enterprises can ensure that user productivity and innovation are easy, convenient and effective.”

A cloud-based solution provides security and access control for business applications and alleviates the need for shadow IT, Ford said.

“If these measures are not taken, IT teams could find the effects of shadow IT to be catastrophic," he said. "If workers are unable to access the applications/files they depended on from their office computer, they’ll search for their own solutions to get their work done, taking the company data outside of company control. If the data is out of the company’s control, it resides on uncontrolled security services, where potential hacks could be left undetected and unreported."

"Once you apply this outcome to every worker operating remotely, it is feasible that a company’s data could be located in hundreds of shadow IT applications, all with different and disconnected security services.” 

Shadow IT and BYOD are not going away after the pandemic ends and are likely to remain part of the enterprise environment. Done right, BYOD can increase employee engagement and enable a company to be more flexible and resilient. The existence of shadow IT, on the other hand, is an indication that the needs of employees are not being met by IT.

“Ideally, if your end users have the tools they need and are adequately trained on those tools, then there won’t be any shadow IT," Levine said. "Put another way, if shadow IT grows it’s indicative of a failure; if you control it, it’s no longer shadow IT.”