Employees using 'Shadow IT' systems fuels cyber risks for businesses

Secret use of programs like WhatsApp is putting businesses at risk of cyber attacks

Employees using 'Shadow IT' systems fuels cyber risks for businesses

With more employees than ever working from home, data security has become a top concern for business leaders.

Since the pandemic began, numerous high-profile employers such as Morgan Stanley have been targeted by hackers. For many companies, the move to cloud-based storage solutions has resulted in vulnerabilities to their security, giving hackers easy access to highly sensitive data.

But what about employees? The way a company’s workers use technology like laptops and mobile phones has huge ramifications on the wider security network. Speaking to HRD, Steven Wood, Director of Sales and Engineering at cybersecurity company Webroot, said the blurring of home and work boundaries has increased the use of so-called ‘shadow IT’ programs like WhatsApp that are being used without the IT department’s knowledge.

“The modern workplace has made it commonplace for individual teams to set up their own messaging channels without the knowledge of IT, and usually without malicious intent from the end user,” he said. “With 2 billion global users, WhatsApp is the biggest player in this space but there are many others. If users are unhappy with the experience their corporate-sanctioned applications provide, they will look elsewhere, which may lead them to circumvent IT procedures and practices.”

Read more: Flexible working: Is it given or is it earned?

If the IT department is left in the dark about which platforms and apps employees are using, it becomes far harder to prevent cyberattacks or quickly recover when they do happen. The IT staff will be left scrambling to find the weakness in the company’s security network, unaware that employees are inadvertently adding a whole new layer of risk.

So where do HR leaders come in to address the issue? While it may sound like a challenge for the CIO, Wood said education is the best line of defence. HR leaders and CIO should work together to deliver timely, accessible training to encourage good security practices, whether in the office or at home.

Starting with basic security principles is key, Wood said. That includes regular user education, multi-factor authentication, proactive threat detection and a solid backup and recovery plan. Strong, multi-layered approaches such as password policies and robust off-site back-up and endpoint plans can help mitigate risk and protect sensitive data.

“Together, CIOs and HR can influence the behavior of users to help prevent future occurrences and mitigate security risks. One way of doing this is working together to conduct training and phishing simulations to educate users, enabling them to be the first line of defence against a potential breach,” Wood said.

“As most organisations don’t have formal programmes in place to promote security awareness or train employees, the HR department can play a central role in ensuring end users are given the proper education and training leveraging existing learning management systems or training processes. Outside of training and education, HR can work together with CIOs to create policies and enforce them.”

Read more: Workplace COVID-19 vaccinations could begin in September

The use of shadow IT is already prevalent within many organisations, but employees may be unaware that by using a program like WhatsApp, they could be opening their business up to far greater risk. Combined with business changes like cloud storage, the pandemic has created a more complex landscape for IT departments working hard to protect their organisations from cyber attacks.

By making education the priority, rather than relying on restrictions, businesses are more likely to be successful in changing employee behaviour and encouraging safer practices. It also instils trust and a sense of responsibility to employees themselves, rather than leaving the security of the organisation down to the IT department alone.