Much to the joy of employees everywhere, "bring your own device" (otherwise known as BYOD) is a movement that has become common in the workplace. On the one hand, it makes a certain degree of sense. Why wouldn't you want your employees to be able to use the smartphones, tablets, and other types of mobile devices that they're already comfortable with? Why should you as a business leader go out of your way to provide this equipment for your employees when they already have ones of their own that they're perfectly happy with?
This has been especially accelerated by the rise of remote working, as people need to be productive from anywhere and don't want to have to switch between multiple devices in order to do it.
The issue is that in most companies, the IT department is responsible for approving the types of devices and software that employees are allowed to use when accessing and working with sensitive business data. That's easy to do when you're providing hardware to your people — it's less so when they're allowed to just use whatever they want.
All of this gives rise to a concept known as "Shadow IT" — meaning the types of devices and services that are running on your network that your IT department may not be aware of to begin with. It's a serious issue facing most companies these days, and it's one that you absolutely need to be aware of moving forward.
The Trouble with Shadow IT and the Risks of the BYOD Workplace
One of the reasons why Shadow IT begins to occur at all is because employees feel like the resources that you ARE giving them access to leave a lot to be desired. When the ongoing COVID-19 pandemic began, for example, you probably offered them one of a few different collaboration tools to help assist with their new remote work life. But if they weren't actually happy with what you've given them, they may have turned to third party solutions like Slack or even Zoom.
If they're not satisfied with the cloud-based storage you've offered them, they may have turned to DropBox or even Google Drive.
By now, you can probably see where this is going.
If someone is storing information on their personal Google Drive, you don't actually know what that data is — meaning that there is little you can do to actually protect it. Along the same lines, that data is officially just one weak password away from being compromised. The same is true when employees are sharing files via unapproved video conferencing or other collaborative tools. At that point, you're simply not aware of what your risk surface actually is so you can do little to defend against a potential attack.
But the true key to mitigating risk from this phenomenon involves doing as much as you can to understand it as possible. Again, Shadow IT begins to rear its ugly head because your employees are searching for easier and more effective ways to do their jobs than the one that you've provided for them. Therefore, if this is beginning to be a problem, you need to make a proactive effort to understand what those shortcomings are so that you can address them in the most effective way possible.
This is a big part of the reason why it's so important to invest in intelligent management systems like M-Files. M-Files acts as a centralized repository for all of your data, regardless of where it happens to be. People don't need to navigate among multiple services just to find what they're looking for. So long as they know WHAT is in the file they're after, they can find it easily — all without navigating from one platform to the next and back again.
Beyond that, to truly remain protected from the risks of BYOD and Shadow IT in the remote work era, businesses need to create an environment where the endpoint (meaning the user devices) is largely meaningless in terms of security. That means embracing encryption that protects data both while it is at-rest on a server and while it is in-transit to the end user device.
You also need to have a strong foundation of service management and security incident handling for all of your assets. You need to be prepared for a threat should one occur, regardless of whether it happens on one of your own devices or on the personal device of an employee. If you're able to do that, you (and your employees) can enjoy many of the benefits of a BYOD system with as few of the potential downsides as possible.
