Reducing Work-From-Home Risk From Shadow IT During COVID-19
End User Computing (EUC) policies are complex, and relying upon time-pressured individuals to execute such guidelines is not only a big ask, but also impractical. What’s just compounded this challenge? The re-location of so many corporate employees to remote work.
As PricewaterhouseCoopers pointed out in a new cybersecurity study, these EUCs, or “Shadow IT” assets, present a definite source of risk during COVID-19, against which they recommend specific measures:
Review web traffic logs to monitor for the use of shadow IT (e.g. file sharing, video conferencing, and collaboration tools), and work to implement and move users towards business-approved and secured solutions (e.g. using Cloud Access Security Brokers and web proxy filtering).
Conducting an EUC inventory is impractical with manual processes
The first step a company must take in minimizing their risk is to inventory their Shadow IT assets. But what measures must risk managers take to assemble a proper inventory of EUCs? To begin with, every EUC must be clearly defined – what software program is it built in? And based on company policy, what is its criticality? Thereafter, it needs designated owners, validators, which business-critical EUC inventory should the application in question should be logged under, and so on. Given that, in any organization, the number of EUCs typically can run in the hundreds or even thousands, manually adhering to EUC policy for every single application in any accurate way is a big task.
This approach is, naturally, prone to human error. Often, users are asked to fill forms to provide details of the EUCs they use and own, but invariably they only provide high-level information and may not even provide a complete set of answers. Moreover, the document for compiling the EUC inventory is usually…another spreadsheet!
Utilizing technology for EUC policy compliance during COVID-19
With the sudden transition to a work-from-home or remote workforce, you can easily imagine the complications this creates when it comes to the number of EUCs and scattered assets – and the attendant risk it poses.
Technology systems offer the best chance of compliance with EUC policy across the enterprise, via the creation of a customized framework based on the specific EUC policy of the organization. These are practicable even at times such as this, with a distributed workforce, and are more of an urgent need than during “normal” periods.
An EUC inventory template from the technology provider is delivered blank to the client organization, who can tailor it based on their own requirements and EUC management goals. So the initial questions may include: What is the type of EUC (e.g. Excel, Access, Matlab file)? What is the material risk (i.e. operational, regulatory, financial, reputational) of the application to the organization? As well as other organization-specific questions.
Based on the response to the various questions, further queries might be required – for example, if the file is high risk, then there must be a suitable decommissioning plan inputted. Technology can ensure that this additional information is captured through mandatory fields to support EUC policy compliance.
As questions are answered, department and ownership information are also captured using Active Directory. This allows an organization to create a consistent, holistic picture of the EUC landscape to provide a clear view of the key files that exist across the organization. For example, if there are a thousand files registered, there would be enough granularity to know that one hundred are on remote devices, of which 10 are critical and two are pricing models.
The flexibility and benefits of a technology-based EUC approach
Of course, EUC policy controls cannot be based on a ‘point in time’ visibility of the EUC landscape. Crucially, technology helps support a ‘living’ inventory that’s always current, not one that is only current at the time of the annual assessment. An EUC application that may have been medium risk at the start of the year could potentially become high risk because it’s now being worked with remotely, in a different security context. With the automation that technology systems provide, that change is automatically recorded, and the required policy controls enforced.
If the status of the workforce changes – whether shifting to a remote basis, or transitioning back into the office – any changes to policy can be accommodated in the questionnaire, which can then be pushed out automatically to employees. Similarly, if a specific EUC owner leaves the organization, the files that need to be ‘re-homed’ can be easily flagged. Ever-changing regulatory pressures mean that changes to the policy may also be required, so new questions must be added to the inventory questionnaire. With the right technology, this, too, can be automatically pushed out to users with a request for additional information.
All the registered EUC files can then be automatically subjected to change management and control standards based on the organization’s EUC policy to include things like version management, access supervision, and protection monitoring alongside audit trails for compliance and risk management. The system also facilitates remediation or decommissioning of EUCs based on the organization’s policy.
Keeping EUC ownership where it belongs
It’s worth noting that by ensuring users register EUC files, ownership of EUCs then sits with the business, which is their rightful home. EUC files must never be in the sole remit of individual users, even – or especially – if they work remotely. Such a situation exacerbates the risks posed by business-critical EUC files. The automation delivered by technology provides built-in safeguards for the business to pre-empt and mitigate any risks that emanate from the critical files.
A good EUC policy also underpins formal model risk management, which is becoming essential for regulatory compliance. Technology can help organizations understand what models exist, how they are interlinked across the model ecosystem and how they are currently managed.
It can offer complete visibility into employee compliance processes and a detailed understanding of the unstructured documents, systems and applications that individuals are dependent on in the day-to-day running of operations. It safely facilitates attestation and review, regular reporting and full auditability through to model governance to reduce risk.
Embracing technology is the most reliable, trustworthy, time efficient and cost-effective way of managing the entire EUC environment in organizations – from the creation of EUC policy and adherence through to model risk management for regulatory compliance. Today, as employees are forced to work remotely, this is more relevant and necessary than ever.