By Ronald Sens, EMEA Director for A10 Networks
We’ve just undertaken some new research which shows that UK employees are unwittingly putting their organisation as risk through their use of unapproved apps. The problems associated with ‘Shadow IT’, where employees download apps or use services without the consent of the IT department, have escalated in line with cloud adoption, and the use of personal smart devices in the workplace.
Even though the use of unsanctioned apps can be a real security headache for IT – the apps can act as gateways to the network for cybercriminals looking to gain access to an organisation’s valuable data – there seems to be no stopping employees’ actions.
The research Application Intelligence Report which was conducted across ten territories shows the UK has the highest percentage of employees (41 percent) who use apps without permission from IT, or not knowing if those apps have been approved to use at work.
Of those who use non-sanctioned apps, more than half (57 percent) use the excuse that “everybody does it” – more than any other European country questioned in the report.
Other respondents say their IT department doesn’t have the right to tell them what apps they can and can’t use, while some claim that their company’s IT department doesn’t give them access to the apps they need to do their jobs.
The research highlights a notable lack of understanding among UK employees as to the potential damage they are inflicting on their organisations’ security. In fact, many companies still don’t realise the risks that come with this growing reliance on disparate and app-dependent workforces.
In the UK, 54 percent of respondents have experienced at least one data breach, 41 percent have experienced a DDoS (Distributed Denial of Service) attack, and 30 percent have fallen victim to ransomware attacks – both higher than the global averages.
As the high-profile data breaches have shown over the past 12 months, all it takes is one DDoS attack to damage an organisation’s brand, its reputation with customers, and its revenue stream.
There is also the issue of app security, and who is ultimately responsible for protecting the personal information and identity of employees who use approved business apps at work? The application developers, the IT department or the end users themselves?
Globally, only a fifth of IT decision-makers think employees take accountability for protecting their personal information and identity. When it comes to using personal apps at work, 44 percent of IT professionals assume employees take responsibility for securing their own personal information.
A third of respondents say the security team is most responsible for protecting employee’s identity followed by the CIO or VP, and then the IT department.
Drilling down into individual countries’ attitudes, most German IT heads believe the CIO or VP (46 percent) is ultimately responsible for securing employee identity and personal information, while those from Brazil (32 percent) most often place responsibility on all IT practitioners, regardless of the team.
Brazilian, Indian, Chinese, and US IT chiefs believe that employees place a greater amount of responsibility on the vendor or developer of the applications.
So how does the UK compare to other countries? Interestingly, while most firms globally think IT leaders should be held accountable, the UK’s IT leaders point the finger at service providers (36 percent), more so than the company or app developer.
When it comes to app password security, UK IT chiefs have more faith in their employees than some of their counterparts around the world – 23 percent think employees “always” change their passwords, and 56 percent say they “sometimes” do so. China and Japan ranked lowest for how regularly employees change their passwords.
Across the board, more than half of IT decision-makers are agreed that mobile business app usage will increase in the next fiscal year. By 2020, most UK IT pros (84 percent) believe that mobile business apps will be used more than those on a laptop or a PC, almost in line with the global figure of 88 percent.
The good news is that 20 percent of UK IT departments say they are looking to grow their security budgets to combat the explosion of threats. The slightly less good news is that the UK ranks join bottom with Japan for companies that expect to grow their security budget by 10 percent or more, at 14 percent, less than the global average of 27 percent.
Globally, security is the top discipline for which IT teams are hiring, followed by applications teams. More than a third (36 percent) of IT decision-makers believe the security team is the highest hiring priority – again with the UK unfortunately ranking lowest worldwide at only 20 percent.
Awareness and education must be a priority. Factoring in employee behaviour, IT professionals should focus on building enterprise-wide security awareness and education programmes and implement strong security and access policies to prevent bad behaviour, and in particular, rogue app usage.