Skip to main content

Finding the balance: the dangers of workplace surveillance versus the threat of shadow IT

Shadow IT
(Image credit: Image source: Shutterstock/Kzenon)

For over a year now, businesses have been tussling with what initially appears to be a straightforward question – how can employees be trusted, and supported, when they’re not in physical sight? Prior to the mandated rollout of remote working, this question appeared enough to cause apprehension for the majority of businesses, with a reported 80 percent of organizations yet to implement a remote working program before 2020. Naturally, all of this changed during with the onset of lockdown restrictions, in which businesses were given no option but to place their trust in a dispersed workforce. 

This initial apprehension, however, has proven pervasive. Since the onset of Covid, 44 percent of the UK’s pandemic-forced home working contingent have had some form of monitoring software installed on company-provided devices, primarily as a means to monitor activity during work hours. As a result, almost a quarter (24 percent) of that same group have subsequently admitted to using their own devices to avoid such surveillance. This is now causing significant issues relating to cybersecurity – namely shadow IT.  

Trust can be a difficult tightrope to walk for businesses, but with remote and hybrid working set to continue as lockdown restrictions continue to ease, businesses need to re-evaluate their levels of monitoring or risk a longer-term breakdown of communication, workplace wellbeing, and cybersecurity. Ultimately, businesses will need to find the balance between shadow IT and surveillance.

Why are employees hiding? 

At first glance, all seems right with this new world. According to our study of 2,000 full-time workers in the UK – across both management and employee levels – we have found that the relationship between bosses and workers remains strong despite the upheaval and drastic levels of change for some. In fact, almost two-thirds (64 percent) of employees and employers confirm this trust from one to the other. 

This comes from an initial understanding that the pay-off for greater work-life flexibility may indeed be device surveillance, and it is equally understandable that the extent of such monitoring would rise in tandem with the past year’s transition. However, given that this monitoring now transcends emails, internet and app usage, phone use, and even location tracking, businesses must also keep in mind the ramifications of overstepping the mark, and forcing their staff into hiding. 

Switching between corporate and personal devices for each of their intended uses is one thing, but findings show that 31 percent of UK workers would likely use a personal device more for work purposes if they were being monitored by an employer. Put simply, the more invasive the monitoring becomes, the less receptive employees become to the idea of being watched at all.

How can businesses strike the right balance? 

To begin with, employees veering towards shadow IT may have been out of ease or convenience, to not have to keep switching between personal and business use. But there does also seem to be a genuine aversion to the idea of being monitored to such a broad extent – a prospect epitomized by respondents feeling less productive (24 percent) or less creative (25 percent) as a result of surveillance software being used. 

More worryingly, nearly a quarter (24 percent) of workers would be likely to leave their job if they felt their privacy was being invaded, leaving employers in a tricky position, and potentially walking a fine line of trust. It is a tightrope businesses cannot afford to fall off either. On the one hand, given the speed in which the past year’s events have unfolded, to allow complete independence among the homeworking contingent, with no account of work patterns, productivity levels or task stats, would be to lose critical insight and – in some cases – control. On the other hand, if workers do go into hiding and begin to use personal devices to avoid any such accountability, then security becomes even more of a concern.

The latter scenario of shadow IT opens the door to cybersecurity vulnerabilities at their most pressured moment. The threat of attacks has massively increased as a result of the remote working transition, as opportunists have capitalized on network transformations and – most aptly – employee error. And that’s why organizations must strike the appropriate balance between accountability and invasion in their surveillance efforts.

Why is communication crucial? 

When the pendulum swings too harshly towards ‘spying’ rather than ‘monitoring’, it becomes all too easy for workers to slip into dangerous habits, or implement workarounds to avoid workplace surveillance entirely. With the potential to deteriorate workplace communication and data security, it is of paramount importance for businesses to focus on how to avoid overstepping this fine line. 

However, businesses will need to begin involving employees in the reasoning and processes behind workplace monitoring. This means an open dialogue around what are truly acceptable, or beneficial, levels of workplace surveillance. Of course, this negotiation must be predicated on the fact that escaping to personal devices and unapproved software is rarely secure. 

Employees choosing to, or even feeling forced to work on their devices, can present serious security risks to businesses. By doing so, staff members could be accessing sensitive corporate data on insecure, domestic networks – and when considered that more than 80 percent of all cyber breaches are caused by human error, it is vital that companies have complete oversight of how their IT systems and hardware are being used by remote workforces. 

As the working from home guidance ended on July 19th, some businesses will likely adopt flexible hybrid working policies. In doing so, it will be important for businesses to provide employees with clarity as to what type of monitoring will be put in place, if any (and why). It is also recommended that business leaders instill a culture based on open dialogue, where staff is empowered to come forward and report any incidents – such as clicking on a link in an unsolicited message – or suspicious activity. By removing the fear of being judged or reprimanded, organizations will have a better chance to stay safe from cyberattacks, whilst enabling the security teams to mitigate any threats that might be already present in the network.

By finding the sweet spot between surveillance and shadow IT now, businesses can work towards building the positive relationship that is already proving essential to the function of remote/hybrid working.

Chris Hurst, General Manager, Kaspersky UK&I

Chris Hurst, General Manager of Kaspersky UK&I.