The sharp and sudden increase in remote work, due to the COVID-19 pandemic, has made the risks associated with losing data to shadow IT clearer than ever. Prior to the work-from-home boom, many organizations' security measures and disaster recovery plans were unfinished or inadequate. Those in charge of remote data protection and DR not only need to confirm corporate data is safe, but ensure that they're reigning in the threat of shadow IT.
BYOD allows employees to use their personal devices, such as smartphones, tablets and laptops, for work purposes. This adds convenience, especially when working from home, but increases security concerns. With the social-distancing guidelines of the coronavirus keeping people at home, organizations must evaluate their BYOD capabilities and policies.
"When you work from home, people will increasingly use BYO devices, which IT probably will not have the ability to back up and which may lack authentication protocols and other means of control," said Phil Goodwin, a research director at IDC.
What's more, there is still the perennial issues of shadow IT. Shadow IT refers to hardware or software used within an organization but is not supported by that organization's IT department. This can be a factor in the decisions that departments and lines of business make about purchasing a remote data protection service, such as disaster recovery in the cloud. Many do this without thinking about or understanding corporate governance or the need to mesh with corporate service-level expectations.
This article is part of
"Those are the things that can really get a company cross-threaded," Goodwin said.
Independent IT analyst Greg Schulz agreed that shadow IT is likely rearing its head as remote operations become the norm.
"[Organizations] may have gotten their own systems and software and may have put everyone out to Amazon, Azure or Google, and they don't even know if the data is in country or out of country," he said.
Phil GoodwinResearch director, IDC
Problems may not surface immediately, but when they do, Schulz said, employees will likely dump any issues on IT's door.
As a consequence, he said, IT and DR pros wonder if they know where their data is, who can access it and who is protecting it.
Improvisation can lead to disaster
As individuals have fewer opportunities for direct collaboration while working remotely, they are more likely to take well-intentioned but misguided actions with data and processes, Goodwin said. Providing them with better information and alternative, company-sanctioned tools can help ensure that data security isn't compromised by employee improvisation. To guarantee that employees actually use the corporate alternative, however, organizations must choose one that is as good as or better than outside options.
One of the challenges for IT operations that Goodwin said he often hears about is simply keeping up with end-user demand for new IT services. When IT falls behind and is unable to respond to those requests, end users start to take things into their own hands.
"If IT can become more agile in response, perhaps by providing cloud-based solutions or getting users involved in the selection of new services, they can regain more influence and control," Goodwin said.
Education regarding how to best do BYOD is very important.
"You need to communicate with end users regarding their devices, and, at the same time, you need to consider implementing more edge capability around data protection and data capture," Goodwin said.
In addition to keeping employees informed, an organization must have an acceptable use policy (AUP) in place outlining the rules for corporate data on personal devices.
Numerous low-cost services can help reduce the remote data protection risk posed by employees working from home. For instance, consumer-grade McAfee software can create a baseline of security. Backup and DR vendors such as Acronis, Carbonite or Druva can provide a degree of data protection with different service options. If the company pays for those services, it could potentially gain a greater measure of control over its corporate data in the wild.
When people lose personal devices, it is better if the corporate data is encrypted and susceptible to remote wiping. According to Goodwin, wiping practices can be problematic if personal data also gets eliminated. Fortunately, "there is more finesse available now so it can be focused just on the corporate data," Goodwin said. However, leadership must inform employees of any remote-wiping practices in the AUP.
DR needs to adapt
Naveen Chhabra, an analyst at Forrester Research, said that disaster recovery service providers are under tremendous pressure as they adapt, attempting to support and enable their employees to work from home while providing continuous support to clients. The current COVID-19 crisis may result in gaps as the DR service providers will have limited physical in-person support. Working with a service provider early and being proactive is ideal, but absent that, at least be vigilant and communicate with them.
In terms of an organization's own capabilities for recovery, Chhabra said now there are typically fewer people available on site or even to handle tasks remotely. Taking advantage of DR automation can help with this.
Of course, not every company is facing the same scenario. From Schulz's vantage point, it seems like the companies that have embraced remote work in the past, even if employees only used it once a week or once a month, are doing much better.
"They have the infrastructure in place and are just upgrading and expanding to support rapid deployment to everyone," he said. "They are prepared; it is just a matter of scaling up."
Looking ahead, Schulz said many aspects of the pandemic period may become the "new normal."
"It is probably a good wake-up call to move into the 21st century and make sure to have VPNs and secure gateways in place and the staff and processes to support all of that," Schulz said. It will also be crucial to have the ability to scale up and down quickly, so employees can gain access quickly and temporarily for emergencies until the crisis passes.
"There is a long shopping list that should include things like encryption and strong authentication," Schulz said. "The new watchword is 'be prepared.'"