How employees use applications for work is changing. In the wake of COVID-19, the shift to remote work and rapid digitization empowered people to work however they wanted. Left to their own devices, employees started using the applications they preferred, instead of the applications approved by their employers. As a result, employers saw an increase in productivity, but they also saw an increase in cyberattacks targeting applications.
Today, securing cloud-based applications is more critical, yet more challenging, than ever before. For applications that support security standards, securing them is a relatively painless process–but not every application meets this criteria.
In fact, some of the most common applications today are simply “unmanageable.” Without industry or security standards to support them, unmanageable applications create a host of new problems for organizations, including misinformation, data breaches, and fraud.
In response, many employers attempt to block these applications, even though their employees don't want anything to change. As a result, many employees are still using their preferred applications for work, even if prohibited by their employer.
Behaviors on employee application choice have permanently shifted–whether employers like it or not. As a new generation of professionals gains their footing, and an even newer generation enters the workforce, a new mindset around application choice is emerging.
At Cerby, we’re calling this phenomenon the “COVID hangover.” To navigate this new landscape, we believe that organizations need a new approach for securing cloud-based applications in a post-COVID-19 world.
We were curious about what a new solution for application security looks like, so we partnered with Osterman Research to find out. Together, we spoke with over 500 business professionals across the US and UK to determine how employers should approach this new normal from a technology perspective.
It started with the shift to remote work when organizations had to adopt a “do whatever it takes” approach to stay productive. Once limited by legacy applications and office networks, employees suddenly had more freedom than ever before. For the first time, they could choose where, when, and how they worked.
At the same time, responses to COVID-19, including the shift to remote work, sped up digitization in almost every industry. Most organizations simply weren’t prepared for the transition when their employees started working from home–but threat actors were.
The pandemic created new, seemingly endless opportunities for cybercriminals with real repercussions for their targets. Year after year, the average cost of a data breach keeps going up – in 2022, it's $4.35 million USD.
Included in that sum are regulatory compliance fines, costs from operational downtime, and reputational damages. For organizations where remote work is a factor, the cost of a data breach can be even higher–almost USD$1 million more.
In response to these unprecedented risks, many organizations opted to double down on enforcement-based approaches to cybersecurity–approaches that, for example, establish policies on which applications employees can and cannot use for work. But enforcement-based controls often take a heavy-handed approach to security, blocking users from the apps they prefer with impersonal prompts to contact an administrator to keep using it.
Enforcement-based approaches to unmanageable applications are also popular, according to our research: 78% of employers have policies on applications, and 61% of employees have had applications blocked. The research also reveals that employees often view application bans as undermining trust, and killers of job satisfaction.
People don’t want to give up control of their applications. In fact, 92% of employees and managers want full control over the applications they use for work, including the right of selection without the threat of veto by their employer. But many employees and managers also report they will continue to use the applications they want, with or without employer approval.
In the midst of the COVID hangover, managing applications is becoming more challenging for businesses, yet increasingly critical for success. Unfortunately, many of these applications fall into the “unmanageable” category.
Whether it’s FinTech apps, MarTech apps, or social media apps–unmanageable applications help businesses meet their goals. Many organizations openly recognize the benefits of unmanageable applications, and some even allow their employees to use them. But as the name suggests, managing unmanageable applications isn’t easy to scale.
Unlike Shadow IT–a term that includes any applications used outside the purview of IT and security–unmanageable applications are applications that don’t support industry and security standards like Security Assertion Markup Language (SAML) for authentication, and the System for Cross-domain Identity Management (SCIM) for user management.
Today, taking reasonable steps to protect your organization’s reputation, financial, and legal best interests includes securing cloud-based applications, even if they’re unmanageable. For most organizations, that looks like:
Even if your organization has a comprehensive application management program in place, there will always be ways around it. But giving employees complete control over their applications isn’t the answer either.
Heavy-handed approaches to cybersecurity generally end up blocking key applications, and killing productivity. And, they don’t necessarily work, either. Our research shows that 51% of employees will still use applications for work, despite company policies or prohibitions.
There’s an obvious gap between employers’ perception of control over apps, and the reality of the employees using them. As hard as it may be to admit, companies ignore this trend at their own peril.
To learn more about the pros and cons of existing management methods for unmanageable applications, check out this blog post from Cerby’s Chief Trust Officer, Matt Chiodi.
At Cerby, we were curious about how organizations actually manage access to unmanageable applications in a post-COVID-19 world, without support for common identity and security standards.
Most surprisingly, we found that 42% of employees are responsible for managing their own passwords. We also found that most employees and managers are making access management up as they go along, without uniformity or consistency. This mishmash of approaches is creating untold risk and exposure for organizations and their data–there’s a reason password compromise is one of the most popular methods of cyberattack.
It’s understandable why employers crack down on certain applications. However, as a long-term, comprehensive solution, this approach isn’t sustainable. The fact is, employees want control over their applications, and they’re willing to do almost anything to keep it.
Managing unmanageable applications is challenging given their lack of support for standards. Here are a few things your organization should be focused on building to make them more secure:
This list might seem short and sweet, but in reality, the manual tasks associated with each of these responsibilities are tedious and time consuming–a deadly combination that creates inefficiencies and vulnerabilities for organizations, and demoralizes teams.
So, what’s the alternative?
The best approach is to look for solutions that strike a balance between employee choice with applications and employer responsibilities with security and compliance.
The ideal unmanageable application management solution should:
Enrollment-based options are user-centric and employee-friendly, which means your employees can self-enroll applications in a single security solution that configures manual tasks such as rotating passwords, enabling 2FA, and tracking user activity, automatically.
When employees understand that application choice comes with responsibility, security becomes everyone’s concern. When registering employee-chosen applications is easy, those same employees who resent company-wide policies on applications will become willing participants in strengthening security, and ensuring compliance.
Discover a new approach for unmanageable applications
Organizations must find a new approach for identifying unmanageable applications and assessing their risk before they lead to cyberattacks, misinformation, or fraud. However, adopting a new approach can often feel like starting from scratch, especially when most of the tasks are manual.
Fortunately, there are emerging solutions that can help. At Cerby, we’ve created the first security platform for unmanageable applications.
We’ve heard the same story from many of our customers: before Cerby, they were managing unmanageable applications manually. Since we released our platform in 2021, Cerby’s software has enabled clients including L’Oreal, Wizeline, and FOX to fix common application liabilities efficiently while facilitating collaboration.