Along with the independence remote work affords employees comes the use of shadow IT and poor password practices, according to a new survey by 1Password.
Beleaguered IT personnel lose nearly a month (21 days) of work annually managing Identity and Access Management (IAM), revealed a new report from the EPM (enterprise password manager) company 1Password.
The tasks most frequently imposed on IT include resetting passwords and tracking app usage. For employees and IT staff, the swift pandemic-response transition to working-from-home (WFH) made daily security challenges even more relevant. Even if issues could be predicted, problems were likely, due to the rapidity of the switch, combined with the large number of employees reliant on a significantly and comparatively small IT department.
IAM proves to be a continual burr in productivity, not only for the IT staff, but for employees, too; 57% of IT workers reset employee passwords up to five times per week, and 15% are doing so at least 21 times weekly. The research revealed that 14% of IT workers "are consumed with IAM, and spend at least an hour per day on routine IAM tasks."
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
One in three IT workers don't fully enforce security policies, while 20% of workers don't consistently adhere to security policies. The besieged IT staff "cite a lack of suitable technology resources and concern for employee effectiveness" which unquestionably affects "the relentless quest for productivity."
IT workers believe they're without resources to ensure IAM products are solid and effective, and don't feel confident in the provided tools. Only 48% of IT workers allege that most of IAM products bring value to the company, while 13% said less than 10% of their IAM products actually deliver.
Shadow IT has become an even bigger problem in the new WFH normal, as IT staff are less able to monitor employees' use at home of information technology systems, devices, software, applications, and services for which the company's IT department has explicitly approved. Shadow IT impedes the power of EPM to achieve security, productivity and convenience.
IT departments use IAM to detect the unauthorized use of Shadow IT, and research revealed it's "largely successful." Four in five employees said they always follow the company's IT policy, which means only 20% of all workers drive all Shadow IT activity. The report stresses these employees are not malicious actors, but are laser-focused on productivity: 49% cite productivity as the No. 1 reason for sidestepping the IT department's rules.
"The Shadow IT picture is more complicated than many think," said Jeff Shiner, chief executive officer, 1Password, in a press release. "Most of us follow the rules, but a small group of employees trying to get more done circumvent policies and create openings for credential attacks. They're sometimes enabled by IT workers who empathize with their pursuit of productivity."
The company scofflaws who don't follow IT policy, according to the report, are:
- Sprinters: More than two times more likely to cite convenience as more important than company security. Almost half believe that adhering to "strict password requirements" isn't worth the effort and time.
- Skeptical of IT capabilities: Those who break IT policies are 50% more likely to claim that it's unrealistic for businesses to oversee all devices and apps used by employees. They also allege that the IT department "is more of a hindrance than a help."
- Millennials and Gen Z: Compared with colleagues ages 56 and older, 18- to 39-year-olds are three times more likely to admit they do not always follow IT policies.
IT workers cite a lack of resources
IT workers did not lay all the blame for security issues on employees but said they lacked appropriate tech resources. They also said that "concern for employee effectiveness" is why 33% of IT staff are not resolutely enforcing the enterprise's security policies.
IT staff admissions:
- 25% said they don't enforce security policies universally
- 4% forgo all policy enforcement because they don't want to deal with the common and frequent concern of productivity vs. managing policies
- 38% do not strictly enforce security policies because the "organization's method for monitoring is not robust"
- 29% agreed "it's just too hard and time consuming to track and enforce"
- 28% said "our employees get more done if we just let them manage their own software"
- 33% said strict password requirements at work aren't worth the hassle
How IT staff feel about EPMs:
- 89% of IT departments said a password manager has measurable impact on security
- 57% who use EPMs report it's a time-saver
- 45% said it reduces the time they spend on the mundane
- 37% said it enhances productivity
- 26% said it reduces breaches and attacks
- 26% claim it creates happier employees
1Password used an online survey by Method Research and distributed by Dynata, with 1,000 full-time US computer/desk-job employees; 50% of respondents work in their company's IT department, and 50% came from any department. Respondents were 18 and older, and "roughly balanced across age and geographic area." Data was collected from April 15 through 23, 2020.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Social engineering: A cheat sheet for business professionals (free PDF)(TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies(ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)