Controlling rogue apps -- applications that employees connect to your files without approval – has been a longtime challenge for IT and security teams. These third-party, internet-based applications can provide your employees with additional functionality, such as automatically scheduling appointments on their calendars or enabling them to create graphical representations of data. However, they may also be putting your data and your business at risk.
In 2020, cybersecurity company Proofpoint researched OAuth apps (apps that work over HTTPS using access tokens rather than logins and passwords) that were readily available to internet users. Those researchers found that more than 180 of those apps were involved in attacks that exfiltrated data from 55 percent of users, and they had a 22 percent attack success rate.
In many cases, it’s not immediately apparent if an employee has connected cloud files to a rogue app. You have even less visibility into the apps your employees are using when you adopt the work-from-home model. So, how can you control what’s connected to your cloud files when employees work remotely?
Even though remote employees are away from the watchful eye of your IT or security team, it’s not necessary to accept the risks that rogue apps represent. Here are three steps you can take to minimize this threat to your business.
Your employees may not understand the risk to data security that using a plug-in or connecting an app to a Google Workspace or Microsoft 365 file can create. Ensure that employee training includes information about rogue apps and why your team should never use them. Prior to those training sessions, meet with your IT and management teams to create a whitelist of approved applications as well as a blacklist of applications employees should never use due to security vulnerabilities. Also, consider regulatory compliance and prevent employees from using apps that don’t align with security requirements and best practices set forth in the Health Insurance Portability and Accountability Act (HIPAA), the EU’s General Data Protection Regulation (GDPR), or other data protection regulations.
Also, stress during training that if your employees want to use an app that hasn’t been evaluated and whitelisted, they must notify your IT department and get approval before using it in your remote work cloud environment.
Because you can’t stop by an employee’s desk or talk through digital workflows at a face-to-face meeting, you may be tempted to deploy employee monitoring software to track what remote workers are doing. A word to the wise: Don’t. This software is designed to follow the employee as they browse websites, collaborate in the cloud, and use apps. Watching every move an employee makes may provide you with the visibility you need to protect your data and your business, but it may also give the impression that you don’t trust your employees or that you are building evidence to support firing.
Instead of employee monitoring software, the better strategy is to deploy an intelligent data loss prevention solution that follows the data, not the employee’s activities on the network. This type of solution restores and enhances visibility into the apps connected to cloud files, as well as collaborators who have access to your data and how they are sharing it. Furthermore, a solution designed to run in the background -- without requiring the employee to add steps or decrease the speed at which they work -- will allow your team to maintain its typical level of productivity. You’ll also preserve the positive work culture you’ve worked so hard to build rather than damage it with a “Big Brother is watching” solution.
Once you’ve established policies regarding rogue apps, trained employees, and deployed a solution to monitor for noncompliant behavior, you have to be committed to addressing it if it occurs. If the policies you’ve established state that employees who don’t comply will have to go through retraining or face other consequences, keep your word. If employees perceive policies don’t have teeth, they probably won’t pay attention to them.
Remember, however, enforcing rogue app use policies isn’t merely about getting employees to comply. It’s about protecting data, and you have responsibility for making it happen.
Remote work has become routine during the continuing pandemic, and, for some companies, it will be a permanent business model. As long as you have employees working from home, either short- or long-term, you need to ensure that you have policies in place that prevent the use of rogue apps that put data security at risk.
Using an intelligent, cloud-based data loss prevention solution is the best way to maintain visibility when employees work from home and to ensure that rogue apps don’t have access to sensitive data in your cloud files.
Sign up for a free Rapid Security Assessment to quickly identify risks to your network.