As COVID-19 forces organisations around the globe to replicate their working practices digitally and remotely, cyber security vulnerabilities are being exposed. The use of shadow IT (non approved tech and communications solutions) presents a major risk to businesses who aren’t prepared. Now, more than ever, this is an issue for HR and internal communications, and we need to partner even closer with our IT teams.
So, what should we be looking out for? How can we shift our use of technology towards safer online collaboration and productivity as we work with our teams remotely?
We decided to host a Q&A session to answer questions around security and remote working and to look at some of the common pitfalls we’re all exposed to.
Our head of digital and internal comms consultant Tony Stewart was joined by Matt Fooks, Modern Workplace Architect at services, security and tech specialists SBL.
Sadly, our recording cut out a few minutes early, missing the final 2 questions, but our session went a little like this:
Matt: The term covers applications and software that aren’t managed by IT. The business might be using them but IT aren’t aware. This can include things like Zoom, WhatsApp, DropBox and WeTransfer.
Matt: Partly. But really, it’s the responsibility of everyone around the organisation, especially during these times. Your IT manager can’t pop to your house to check that you’re using the right systems in the right way! There are tools that can prevent the use of Shadow IT but they come with a cost. It’s ultimately up to everyone to make the right judgements around what we should and shouldn’t use.
Tony: We’ve seen a more decentralised approach to collaborative working. IT doesn’t want to be a bottleneck getting in the way of people doing what they need to do. But a little too much free rein, combined with the fact people are using their personal devices more, can throw the balance off.
Tony: Because, from an internal comms point of view, we’re looking for one source of truth. People need to have access to the right information, so we need platforms in place as channels for us to be able to communicate. A lot of businesses will already have incumbent platforms, such as Workplace or Teams. But there can be gaps which lead us to find workarounds in shadow IT. Perhaps it’s difficult to access the server to be able to collaborate on a document so we turn to WeTransfer to send the file. If those documents contain sensitive information, it’s a problem because that platform isn’t compliant and there are risks to the business.
The flip side is there are malicious people out there who want to get hold of this data and this is a perfect time for them to try. A hacker who might discover you’re using shadow IT, can exploit that, hovering around, trying to catch you out.
Matt:. As an organisation, you should look at the tools you’re going to use and consider compliant alternatives that do the same job so you can avoid risk to the business and also getting caught out when you are audited.
You probably have a lot of great tools already that you’re not using or that have useful elements that aren't ‘switched on’. G Suite, Office 365 and SharePoint are great for collaboration. Yammer and Teams are great for communication. It’s always worth pausing to ask: ‘what are we needing to get out of that tool?’ and talking to IT about your goals.
Tony. Absolutely. If you have loads of employees using WhatsApp, it shows that your organisation needs a direct messenger. Looking at behaviours is an opportunity to grow and develop new tools to benefit your business long term.
Matt: My feeling is for a corporate enterprise – no. But it depends on the context in which the tool is being used. You might use it for the weekly pub quiz which is fine. But Zoom doesn’t meet compliance around things like GDPR. They have taken steps to improve security, but it depends on the risk appetite of the business. If your company has gone to great lengths to protect data and security. A platform like this will circumnavigate your efforts.
Tony. A lot of clients we work with have tiered categorisation of data in their communications, from top level security down to ‘fine to post on Facebook’. That’s the approach to bring to Zoom meetings. If it’s social, it’s probably ok. If it’s strategic direction or NPD, stay away.
Tony: Furlough is an interesting one. We can’t be talking to our furloughed colleagues about work. But we do want to maintain that social aspect, so they still feel part of the team. We’ve seen some clients partition off part of an existing network, like Workplace, where the employee still has access to the community, albeit restricted. We’ve seen other clients develop dedicated microsites outside of the firewalls, where there is support and social info. Some, with the express permission of the employee, send out newsletter to employee personal emails to keep them up to date.
Tony: Some businesses are looking to WhatsApp for social moments like these. My argument is it’s probably not ideal as it leads to a notification overload on your device. I would consider platforms where you can create dedicated channels or groups, and the user can manage notifications they get. It goes back to comms 101 of considering the needs of the audience; how will this message be received?
Matt: Also, some of these watercooler chats start social but move into work discussion. In a platform like Yammer or Teams, you can set the expectations of where these conversations can move to.
Tony: Thinking longer term. If you can start to establish those positive cultural group and communities, such as ‘the cycling group’, that’s cultural cohesion we want to maintain, particularly across different teams and locations. These are great habits to form now, if we’re willing to invest the time and some light governance.
To the point of shadow IT, if you create these groups within something like WhatsApp, you’ll miss that opportunity. Where they are not best practice they will be discouraged and without a community manager, they tend to fall by the wayside.
Matt: I would advise corporate environments not to use tools like that. G Suite, SharePoint and OneDrive are a far better way to have granular control. You can track where the documents have been shared and revoke access to protect your them, stopping the leak of intellectual property.
Previously, many organisations would have a very strict policy on file sharing. Now, these are opening up because they have to. Sharing policies will also need to adapt and change.
Tony: Also, WeTransfer just isn’t the best way to work collaboratively. You lose versions and you miss changes. Teams and SharePoint allow us to go in and work in real time, make comments and make updates. It’s a much better way to work and brings with it more teamworking benefits.
Matt: It’s a very good question. We’re certainly exposed to more risks currently because of the blurring between work and home and associated use of tech that goes along with that. There are apps which can ‘partition’ a user’s device, so that corporate data cannot be accessed by other shared users.
On desktops, make sure you have different user profiles set up – have a dedicated work used only for that purpose.
Tony: Usually IT has rules for this kind of personal device sharing in place, but they aren’t always well communicated and so people don't always know what is expected of them. Regular communication of what you can and shouldn't do on your personal devices is crucial, especially now, and should be a part of your regular drumbeat of internal communications.
Matt: Definitely. We’re seeing more fishing scammers popping up, masquerading as official sources such as HMRC or the government, taking advantage of the new ways we’re receiving updates around Covid-19. To the point about shared devices, work and home line are more blurred and the risks run across both. I think it’s vital for businesses to make their people aware of threats and risks, both in and outside the business.
Tony: I agree. As communicators, we have a responsibility to dispel misinformation and provide a trustworthy source. We have an opportunity to work even more closely with out IT teams to get the message out and help keep everyone across the organisation safe.