Ride the Lightning
Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.
Employees Go Around Your IT Security to Do Their Jobs
September 14, 2021
TechRepublic reported in July on a very common cybersecurity threat – employees who “go around” your IT security.
Cybersecurity company Hysolate published a report titled “The Enterprise Security Paradox: Simultaneous Calls for Increased IT Freedom and More Stringent IT Security” highlighting challenges associated with enabling IT freedoms while ensuring tight security procedures. The findings detail a complex balancing act between IT teams and network users. This is particularly difficult when so many employees work remotely and virtually collaborate via many digital solutions.
“COVID-19 has exacerbated things significantly because the need to collaborate remotely has significantly increased. The typical collaboration tools (shared documents, video conferencing, chat, etc.) are often blocked by corporate IT restrictions, which is hampering such collaboration,” said Marc Gaffan, CEO at Hysolate.
Overall, the Hysolate survey found that virtually all employees (93%) “are working around IT restrictions,” and a mere 7% said they were “satisfied with their corporate IT restrictions.” Interestingly, this information about IT workarounds does not match security leaders’ and IT expectations. For example, security leaders believed 43% of users are “in most cases working around IT restrictions” and IT respondents believed 23% of users are working “around IT restrictions most of the time,” per the report.
One of the main factors behind employees working around IT teams is related to corporate policies blocking access to particular websites, Gaffan said.
“Most of these websites are perfectly legitimate and required to do their jobs but are still prohibited due to corporate restrictions,” he continued.
Additional factors behind these workarounds include “external collaboration with 3rd parties that are legitimate business partners but due to corporate restrictions employees cannot share files or use other online collaboration tools,” Gaffan explained.
As part of their work duties, 90% of employees “have required IT activities” that they would describe as “risky,” according to the report, with the top situations including “installing unsanctioned” apps, “giving developers a sandbox environment” and “using endpoints for personal activities.”
Part of the report focuses on supporting users with increased IT freedoms and the impacts of implementing these strategies. Virtually all respondents (87%) said they “are looking to increase employee IT freedom,” and the top positive impacts related to implementing these strategies include increased employee productivity, increased “employee sentiment [toward] IT policies” and decreased frustration among employees.
“The drawbacks are typically related to security concerns,” Gaffan said. “These concerns include both the risks of malware infiltrating corporate systems that can lead to data theft and ransomware attacks and also the concerns of exfiltrating corporate data that could contain sensitive information.”
To support more IT freedom, Gaffan said “companies can use various isolation technologies. . . This would allow users to browse the web freely, install applications and use USB devices in an isolated environment on their PC without compromising corporate security.”
That’s a delicate balance indeed. And the risk associated with employees making end runs around cybersecurity restrictions is considerable.
Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology