Skip to main content

Shadow IT and security threats as holidays take off

Shadow IT
(Image credit: Image source: Shutterstock/Kzenon)

It has been several weeks since “Freedom Day”. Nearly all remaining Covid laws came to an end after a long 18 months; restrictions around overseas travel have eased, and fully vaccinated adults returning to England from amber list countries will no longer need to self-isolate. With these changes, we can certainly expect more holidays abroad – and so more employees accessing corporate data while on leave.

Previous research from the Institute of Leadership and Management revealed that two-thirds (65 percent) of business leaders would check their work emails while on holiday pre-Covid, while three-quarters had taken or made a work call while away. Increasingly, staff have been logging on during annual leave to stay on top of their workloads. While IT teams have had to enable secure access for distributed workforces during the pandemic, they must now also deal with the wave of staff about to head off to – and likely log on from – their first holiday abroad in some time.

The rise of shadow IT  

‘Shadow IT’ refers to the unsanctioned use of corporate IT systems, devices and software. A recent study, conducted by Censuswide on behalf of Citrix, surveyed more than 3,700 IT leaders across seven European countries and found that the rapid adoption of remote work has elicited a new set of security concerns and challenges with IT decision-makers must tackle. Shadow IT tops the list with 54 percent of decision-makers recognizing a surge in employees installing unsanctioned software, while 68 percent said they were concerned about IT security due to such devices. Three quarters (73 percent) also confirmed they knew that at least some of their employees had been using personal devices at the time of the survey.

Businesses can counteract the rising threat of shadow IT by deploying people-centric virtual workspaces that limit an employee’s use of unsanctioned devices. Access to data is then only through corporate-approved virtual apps and desktops. This allows a zero-trust security strategy model to thrive – whereby security controls enforce verification regardless of location or device. This model is both simpler to manage and cheaper to own - and significantly reduces the opportunity for shadow IT.

Danger from poor practice  

The widespread shift to remote working has seen employees integrate their personal and professional lives on a previously unthinkable scale. When it comes to annual leave, businesses simply have to recognize that workers may be accessing corporate data through their own devices, temporary devices, or even old devices while on holiday. If these devices are lost, stolen or compromised – or an unsecured connection is exploited – then critical data could be accessed and held to ransom by cybercriminals. 

Sadly, shadow IT when combined with workers following the example of their colleagues rather than corporate policies (often to complete work quicker) can still lead to dire consequences for a business. During the summer months, sloppy practices are especially prevalent as employees rush through steps and procedures before planned time out of the office. This behavior can leave organizations at risk of a security breach. As staff grows more confident with using non-enterprise-ready apps, business-critical data is put in jeopardy each time an employee turns their ‘out of office’ on.

Employees may choose to switch off automatic security updates to their phone to avoid large roaming charges abroad, given the amount of bandwidth and data they consume. This could be equally as dangerous for enterprises, because employees may be accessing corporate data from devices with outdated and potentially vulnerable software.  

To counteract this, IT departments should deliver the right training as soon as possible. This must ensure that staff are up to date on the latest security measures, that they understand best practices while out of the office, and that they ensure phones and tablets are patched and up-to-date before they set off. This will reduce the chances of vulnerabilities when accessing corporate data when away.

Online scams

Government-approved Covid tests to avoid quarantine are just one example of how the modern holiday requires online preparation before jetting off. Scams targeting the consumer through text and email are widely reported to have increased over the past 18 months – and are another risk that businesses have to contend with as employees take holiday. 

Unfortunately, it is all too easy for an unsuspecting employee to end up on a scam site by mistake while booking last-minute baggage or travel insurance. They then fall prey to modern hackers that use advanced and complex tools to plant malware on their devices. 

Although publicity around such scams has increased in recent months, people often don’t know how to avoid them. Organizations that take the time to provide simple advice on how to spot fraudulent invitations, phishing attempts and other forms of online scam will be safer in the long run. There is more at risk than losing a few pounds to a fake visa. This is, of course, all the more important as employees gain the confidence to set off to foreign climes once again. 

Communication is key 

Upcoming holidays can see employees take more drastic measures to ‘get the job done’ before they officially log off before a week abroad. Businesses must ensure that all members of staff are vigilant, whether they plan to stay in the UK or not. Communication around upcoming holidays and a clear handover of tasks are two simple but effective measures. Though it is never recommended that anyone feel obliged to work on a holiday, IT departments should plan for instances where employees may need to access sensitive corporate data away from the office and take the necessary precautions. 

An open security culture that encourages employees to come forward and ask if they want to complete tasks on the go will also ensure safety for your business. There is far more at stake when working away than just completing a report on time. As long as the risks are effectively communicated across the entire organization – along with practical advice to combat dangers – then perhaps we can all now get some sun without stressing about security.

Chris Mayers, Chief Security Architect, Citrix

Chris Mayers is Chief Security Architect at Citrix. He has worked in the software industry for over 30 years, and has been with Citrix since 1998. Previously he was a consultant with Digitivity/APM, specialising in security in distributed systems. He is a member of the Institute of Information Security Professionals.