COVID 19 and the explosion of Shadow IT

Published: 8th April 2020

For many organisations COVID 19 has forced their hand in the deployment of widescale remote working.  

We’re nearly a month on now, with many businesses having enabled a solution for remote working. IT departments have worked tirelessly to implement solutions in a very short time scale.  

Staff are now able to access critical data for their job, but are the tools provided enabling them to work as productively as they once did? 

As expected, we’re seeing an increase in adoption of tools such as Zoom and Dropbox. These products are being used by workforce’s despitein many cases not being approved by IT.  

This use of unapproved, unmanaged and in some cases insecure applications is commonly referred to as Shadow IT. 

Whilst Zoom may be a US based company, it transmits information through servers based in China and therefore is subject to Chinese data regulations. In addition, Zoom does not use typically accepted encryption methodThe ECB encryption utilised can still show outline detail of images and that’s even before an attempt to decrypt the data feed in its entirety.  

Both of these raise immediate alarm bells for companies that work with sensitive data. With the huge uptake in users of Zoom; this service has caught the attention of the wider security community with 2 major bugs highlighted by Patrick Wardle, a former NSA hacker in the past week.*

Personal Cloud storage products such as Dropbox can pose even greater risk to the business with company data residing out of the corporate network and the document control policies that have been set.  

With most businesses utilising Microsoft Office 365 in some capacity, why are users not utilising Microsoft Teams or OneDrive? 

For many companies Digital Transformation and Collaborative working have remained on their long-term agenda. Products such as Teams have therefore been overlooked, this might be because businesses simply haven’t enabled the product for end-users yet or staff aren’t trained on how to use the solution. 

Individual products vs Microsoft Office 365 services

Departments are typically looking at individual products to deliver functionality such as video conferencing rather than looking at the bigger the picture of using their Microsoft services to deliver a range of different functions.  

  • Zoom for video conferencing rather than Microsoft Teams 
  • Dropbox for cloud file sharing instead of OneDrive 
  • WhatsApp for instant messaging instead of Microsoft Teams 

For businesses that have invested in Office 365 the Microsoft services above are the obvious options for IT to ensure users are limited to a number of services: 

  • Reducing the load on IT Team 
  • Reducing security risks by reducing threat exposure 
  • Improving collaboration with all users utilising the same tool set 

The big question to ask now, is how can we limit services if we don’t know what they are and who’s using them? 

For companies that are licenced for Microsoft’s Azure AD Premium or Enterprise Mobility and Security have access to Microsoft Cloud App Security.  

Cloud Discovery analyses your traffic logs against Microsoft Cloud App Security’s cloud app catalogue of over 16,000 cloud apps. So even in the current situation this service could be run if users access systems over a VPN client. 

This tool will detail all applications in use by your staff and score them based on more than 80 risk factors to provide you with ongoing visibility into cloud use, Shadow IT, and the risk Shadow IT poses into your organisation. 

Now that your aware of the services in use, it is important that careful consideration is taken in moving users away from their application of choice.  Users have embraced digital transformation during this crisis and the concern is that penalising them once this comes to an end could push both productivity and moral down. The best way of facilitating this is through the use of user adoption training to show staff the value of using the products already on offer from the business. 

Find out more about how you can evolve your remote working strategy in our upcoming webinar

Register for webinar