Forcepoint has published new research investigating how the shift to working from home has impacted people’s behaviours and attitudes, revealing how over a third (37%) of UK employees have turned to shadow IT at home, exposing companies to increased cybersecurity risk.
Rise in shadow IT
These research findings revealed nearly half (48%) of UK respondents are using personal devices to access their employer’s documents and services whilst home working. 34% reported storing or transferring work data on personal USB sticks. In addition, 34% of employees reported using private email or file-sharing cloud services for work purposes. The main reasons for this are down to simplicity, with 33% of employees stating that they use shadow IT to easily perform certain job duties; and because company rules make it challenging for employees to do their jobs, with 32% saying this was the case.
In addition to the use of shadow IT, UK home workers engage in risky behaviours when it comes to physical work documents and with connected devices. Almost half (47%) of employees stated they print documents on devices used by several people in their household, and 41% leave work documents lying around the house. In addition, 41% of respondents use employer-provided devices for private purposes, with 21% even allowing members of their family to use their corporate devices.
Dr Margaret Cunningham, Principal Research Scientist at Forcepoint, commented on the results: “Lockdown has been a stressful time for everyone, and while employers have admirably supported remote working with technology and connectivity, the human factor must not be overlooked. Interruptions, distractions, and split attention can be physically and emotionally draining and can negatively impact performance. This often materialises in risky behaviour which can jeopardise a company’s cybersecurity, and Shadow IT can introduce significant risks.”
Who is putting organisations most at risk?
Interestingly, the research reveals that certain demographic groups use shadow IT more than others. One of the biggest differences is between men and women. Although both report similar levels of support from their organisation – whether that’s additional training, the right equipment to do their job or feeling valued at work – men are more likely to report that technology is a barrier for getting work done and report higher instances of using shadow IT.
Half (50%) of men stated that they use personal devices to access work documents or services, and 39% percent stated that they use personal cloud-based accounts to collaborate with peers. This may reflect technology-based inconveniences, as 35% of men noted that company policies that make it difficult to get their work done. In contrast, only 29% of women stated that they use personal cloud accounts to collaborate with peers and 25% used personal backup devices to save corporate data. Encouragingly 43% of men and 32% of women also stated that they have changed security settings since homeworking.
There are also huge differences between younger and older employees. Younger employees (under the age of 35) feel massive pressures whilst working from home and also report far higher shadow IT usage as well as more risky behaviours with systems and devices. Over a quarter (28%) of young people said they used their neighbour’s Wi-Fi connection to do work, compared to only 5% of older workers (aged 55+). Over a third (34%) also stated they allow family members to use work devices, compared to 9% of older workers. Finally, half (51%) of young people use corporate devices at home for personal use, compared to only a quarter (26%) of older workers.
Those who care for others within the home (caregivers) are also engaging in more risky behaviour. 40% of UK caregivers said they need Shadow IT to get their job done, with almost half (48%) storing or transferring work data on personal USB sticks. 56% use personal devices to access their employers’ documents and services.
Despite the growth in shadow IT, positive interventions from business leaders can support and guide those people struggling with lockdown. This includes accepting that people will make mistakes and working with employees to ensure they truly understand cybersecurity processes and systems. In addition, understanding user activity and behaviour can help organizations identify risky users more quickly and mitigate the impact of mistakes or vulnerabilities before the entire business is adversely impacted.
Dr Cunningham concludes: "Companies and business leaders need to take into account the unique psychological and physical situations of their home workers to ensure effective IT protection. They need to make their employees feel comfortable in their home offices, raise their awareness of IT security and model good security awareness behaviours.
"People in home offices usually use shadow IT not out of malice or carelessness, but to be more productive. You won't be able to stop them from doing that. Companies should therefore no longer approach IT security exclusively at the system level. Shadow IT can in fact lead to great innovation and improved productivity, and black-and-white policies simply blocking access will only lead to more workarounds. The focus should be on uncovering shadow IT uses and re-setting policies where required, but also and most critically, ensuring that critical data is defined and appropriately protected as we continue in our new patterns of remote and flexible working.”