93% of digital workers routinely circumnavigate corporate IT restrictions
The traditional IT permitter is dissolving. For years, Bring Your Own Device (BYOD) trends have been slowly widening the corporate network — and work from home policies throughout the pandemic accelerated this movement. This era also saw the introduction of new remote collaboration tools and low-code/no-code platforms that weren’t always sanctioned by central IT. To retain worker productivity, leaders now face surmounting pressure to grant increased IT freedom. Yet, simultaneously, security threats are influencing organizations to hunker down access to only the privileged few.
So, how do enterprises approach this paradox of usability versus security? How can organizations allow IT freedom while upholding stringent security?
If you’re dealing with this paradox within your company, you’re not alone. The The Enterprise Security Paradox, a report conducted by Hysolate, surveyed 200 IT and security leaders at medium-sized enterprises. The study found that while most companies desire increased IT freedom for remote workers, they also believe their organization requires more stringent security restrictions around employee access.
Below, we’ll attempt to make sense of this contradiction and determine how enterprises can set out to balance these opposing targets. I also recently met with Marc Gaffan, CEO, Hysolate, to explore how these new findings reflect the past year of lockdowns and accelerating IT requirements.
Remote Work Requires IT Freedom
Before the pandemic, 80% of employees were spending 90% of their work hours in the office, behind the constraints of a corporate firewall. These traditional corporate environments are safe by design . For instance, employees often can’t install apps, use a thumb drive, or visit harmful sites. It’s rare to have third-party contractors at these controls.
When COVID hit, this reality completely reversed. Workers were suddenly spending on average 90% of their time outside of the firewall, found the CISO’s Dilemma report. This meant most workers were using personal devices and networks without typical traditional restrictions. The rise of remote work often resulted in bringing on more freelancers and third-party SaaS.
Throughout the past year, nearly all companies were forced to adapt to dramatic changes to their working conditions. As a result, 87.3% of security and IT leaders want to increase their employee’s freedom to work from anywhere. Simultaneously, 79.3% believe their organization requires more IT restrictions for its employees. Granting access to third parties and contractors is also a pressing concern for 87% of professionals.
What’s more, employees aren’t waiting around for corporate cats to slowly change their old governance measures. In fact, 93% of respondents say they are, in some form, working around their company’s IT restrictions. Within the new normal, knowledge workers are more than willing to adopt new tech to get the job at hand done. If business units don’t have the right tools and automation to keep pace, application user experience and stability could suffer.
“We can’t stifle user experience and productivity of employees,” said Gaffan. “Now, there’s consensus that that won’t pass anymore.” Within an environment that sniffles innovation, negative sentiment against policies could bubble up. Inflexible working conditions could hinder hiring prospects.
Productivity vs. Security
Interestingly, when it comes to balancing IT freedom, security professionals are more likely to encourage both increased IT freedom and increased restrictions. Perhaps these specialists understand the need to adopt a distributed workforce and fully understand the repercussions of doing so. This urge to address both extremes is exceptionally high in the Retail sector, where 93% want to increase IT freedom to work from anywhere, and 93% say they need more restrictions.
In general, greater IT freedom appears to result in many net benefits for the organization. For example, 87% of professionals indicate that increased IT freedom resulted in better overall productivity. Remote work offers fewer distractions, and new distributed collaboration tools can deliver real-world results. Other benefits from increasing IT freedom involved sentiment — 82% of respondents say increasing IT freedom improved employee sentiment toward IT policies, and 79% said it reduced employee frustration. It appears that encouraging IT flexibility is helpful to reduce employee churn and maintain positive morale.
Of course, this new paradigm of work isn’t 100% safe — many of the new capabilities deemed mission-critical by users are also the riskiest. For example, installing unsanctioned applications is the riskiest activity, as unapproved, shadow IT could carry new vulnerabilities.
Other potentially insecure activities include:
- Giving developers a sandbox environment.
- Visiting corporate-blocked websites.
- Using work devices for personal activities.
Only 10% of those surveyed reported their new distributed workforce didn’t introduce any more risky IT activities.
There are inherent security risks associated with many new cloud-based project management and collaboration tools, explained Gaffan. They could bring malicious code into an organization or exfiltrate data externally. It’s so easy to spin up a new SaaS device these days, or rapidly construct application, that you could lose governance around these types of activities, said Gaffan. Ungoverned processes that deal with user information are more likely to violate regulations like GDPR or CCPA, said Gaffan.
Massaging Corporate IT Restrictions
Today, most digital workers are undermining IT restrictions to retain their productive edge. Knowing this reality, it will be near impossible to make sweeping restrictions that limit all activities. Instead, new security initiatives are more likely to find ways to safely work alongside new habits — enabling employees to use non-IT sanctioned apps and websites, while investing in isolating untrusted incoming content.
To secure modern IT Ops, “there is a mindset that needs to be adopted,” explained Gaffan. This balancing act will likely require DevSecOps, a closer partnering of IT and Security departments, to find a more happy medium.
Part of this is choosing the right tools to increase the corporate security posture. Concepts like Zero-Trust can enable granular application access control while allowing elements of freedom. Or, organizations may desire to split the employee endpoint into multiple environments — having a locked-down corporate work while maintaining another environment on a personal device, where you can do everything freely, explained Gaffan.
To address security concerns, 62% of organizations are already using Endpoint Privilege Management (EPM), found the report. 55% are using application isolation, 48% use browser isolation, and 47% use DaaS. Browser isolation is also the top style professionals intend to adopt in the future.
Final Thought: Productivity Triumphs Over Security Restrictions
Organizations require tight security but must also cater to the needs of employees to retain productivity. Remote work has exasperated this paradox, so much so that 91% of teams now say managing remote IT is a priority within the budget for 2021. In the coming years, balancing expectations in this new reality will be an everpresent priority for executives. “Productivity has become a board-level discussion in the past year,” added Gaffan. “Things that hinder this will be spotlighted and tackled.”