Officially or not, employees are doing their own IT work. A recent poll found that seven out of 10 office employees use online tools outside of those licensed by their IT department for work purposes. Employees who were polled said that IT departments are too slow moving and it is easier to use their own tools—such as free cloud services.
This sort of self-service IT is exactly what the information security industry has warned against; when everyone is using their own tools and accounts, there is no way to track who has what data and what they are doing with it.
Preventing self-service IT
Updating technology takes time and money and to get approval for that kind of investment can take months. Chances are, by the time it has been approved and installed, employees are already using the technology and just not telling anyone.
So, what is an IT professional to do?You can’t stop how fast technology moves, but you can work on two things: speeding up the technology approval process and slowing down employee tech adoption.
Speeding up security approval
The “Year of the Data Breach” has made this a much easier task than it would have been pre-2014. CEOs and company stakeholders have seen how much damage a breach can really do. They now recognize that a data breach is not just an IT problem; it is a company-wide problem that could end up costing them their jobs.
Even though more and more CEOs understand the importance of information security, you still need to speak their language to get their buy-in. During Andrew Platos’s January WebTracks Webinar, he spoke on this very topic. He said it best when he explained “language not only affects comprehension, but also acceptance.” Check out his webinar and our blog post on how to effectively communicate risk to executive leadership.
Slowing down employee tech adoption
Unfortunately, this task has never been more difficult. Our society has been conditioned to want the latest and greatest technology ASAP—not once it has gone through company approval. Here are a few things you can do to help the self-service IT problem:
- Add admin permissions: Some of the software as a service products require downloads and installation, so take away employees’ ability to install new software. Require employees to get your permission to do so (by requiring passwords).
- Break down the problem: No one wants to sit through an all-day security policy meeting; after the first 30 minutes, you probably lose the attention of a majority of employees, so break the security talk down into bite-size pieces. People learn better when a message is repeated over and over, so send emails, hold mini-meetings, forward relevant articles, etc.
- Be transparent: Tell employees what the IT department is working on. Blame it on TV shows or whatever you would like, but many people think all security pros have to do is click a few buttons and magic happens. Bust this myth by keeping employees informed on what you are doing and let them know when you are working with company stakeholders to implement new technology. If that doesn’t work, instilling a little fear in employees helps, too.
Change isn’t going to happen overnight and it requires patience and persistence. Keep preaching information security and, eventually, the message will set in and change will occur.