An attitude of “productivity at all costs” gave employees a heightened level of control over their app choices in the early weeks and months of Covid-19. Now they don’t want to give that up. Matt Chiodi, technical adviser and chief trust officer for Cerby, explores survey results in light of the security challenges this presents.
How does it make you feel when you are told you can only do something only if you do it a certain way with a very defined set of tools? If you are like me, you probably don’t like it, and it might even leave you feeling like you aren’t trusted.
Welcome to what I like to call the corporate Covid-19 hangover. Over the past two years, employees experienced a level of empowerment they had never felt before regarding application choice. In the wake of global lockdowns, employees were told to do “whatever it takes” to remain productive. And despite many organizational efforts to undo this and bring employees back into the fold, this genie is not going back in the bottle. A new generation of professionals reaching maturity in the era of mobile apps and social media will not quietly adhere to company policies on which particular tools they can and cannot use. If anything, the numbers will likely continue to rise, particularly with a remote workforce.
To illustrate this empirically, we commissioned a study with over 500 business professionals across North America and the UK. We found that 92 percent of employees and managers want full control over the applications they use for work. The majority say that having an application disallowed shows a lack of trust from their employer and would negatively affect how they think about their job.
I believe this demonstrates that employee behaviors on application choice have permanently shifted in the wake of Covid. End users, professional or otherwise, buying and deploying their own applications is not new. However, the practice has clearly reached a new critical mass: Many more individuals are now engaged in making ad hoc technology acquisitions, with company funds but without IT authorization and without regard for security standards.
This should not surprise us. It has long been the mantra of security teams that “security is everyone’s business.” Except that in reality, it’s not. Let’s look at your marketing team. They are focused and, more importantly, incentivized to develop messaging that communicates the value of your company’s products and services. Security is not top of mind, in their day-to-day jobs, and it should not have to be. Our research shows that despite security awareness training and millions of dollars invested in security controls spanning cloud access security brokers (CASBs) and security service edges (SSEs), 51 percent of employees continue to use the applications they prefer, even if their organization has prohibited their usage.
There is a massive gap between the perception of organizational control over the applications used for work purposes and the reality of employees deploying their own preferred applications, often outside of IT and security authorization and without adequate regard for industry standards or security protocols.
Historically, this realm has been known as shadow IT. But I believe there is a better one: unmanageable applications. Unmanageable applications are those that do not support industry standards like SAML (for authentication) and SCIM (for adding and removing users) and break zero trust principles. These applications in the enterprise are exactly what we call them: unmanageable in their current state. Companies ignore this trend at their own peril.
I remember working at a large corporation and being told we had some of the most well-crafted security policies. No expense was spared in ensuring they covered every aspect of cybersecurity and risk. I thought to myself, “Wow, this company has really done all the right things to make sure all bases are covered.” Then about a week later, I was chatting with a few colleagues outside of security, and one of them said, “I really love tool X because it helps my team collaborate, but it’s not approved, so we use it on the sly.” She then told me how her non-technical team easily got around the network controls that were in place (and our paper policies).
Our research indicates that most organizations have established policies on applications employees can and cannot use for work purposes, and these do have some impact: More than half of employees have had an application they wanted to use for work disallowed. The challenge is that this approach isn’t working. It’s entirely understandable why employers crack down and disallow certain applications that employees may be using.
However, as a long-term, comprehensive policy, this is not feasible — half of all employees surveyed report that they’ve had applications disallowed; still, half of them intend to keep using disallowed applications anyway. Companies need a different approach moving forward that enables employee application choice and doesn’t blame end users for making poor security decisions. They need something that takes the guesswork out of security by automating the small security choices often in end-users hands with unmanageable applications.
The primary challenge IT and security teams face is continuing what they have done in the past: taking an enforcement-based approach to employee application choice. Our research suggests that this approach will only further entrench unmanageable application usage. Employees and managers will continue using their preferred applications, including those that do not support industry security standards.
The prudent response from IT and security teams is to look for solutions that balance employee choice with applications and employer responsibilities with security and compliance. This is best referred to as enforcement vs. enrollment-based security. Enforcement-based security is almost always heavy-handed and is typically carried out on the network level with CASBs and SSEs. Applications are blocked, and employees are presented with a “talk to your admin” screen. This approach isn’t working. Employees are going around it.
Enrollment-based security is when employees are empowered to choose the best applications for their work and self-enroll their applications in a security solution that configures the right security policies for them in the background. Given that most of the workforce are not security or IT professionals, they need tools that abstract away the often difficult but highly important security tasks of enabling key features like 2FA, strong passwords and role-based access control. With the world moving toward zero trust architecture, organizations must contemplate combining employee application choice and bringing unmanageable applications into the fold.