When the COVID-19 pandemic hit in 2020, our lives, and our world, changed. As the pandemic raged on, an unprecedented number of organizations moved to remote work, and the way IT functioned fundamentally transformed. Over two years later, many of those organizations have chosen to permanently trade the office tower for the home office, and IT is faced with new, unique challenges.
Many studies show working from home (WFH) promotes a better work-life balance, but there's another side to the remote-work lifestyle. In 2021, HP Wolf Security (PDF) reported that 76% of office workers surveyed believe "working from home during COVID-19 has blurred the lines between their personal and professional lives."
According to the survey, 69% have used personal laptops or printers for work activities, like scanning and sharing documents with colleagues and customers, and accessing work applications.
Similarly, 70% of respondents admitted they've used work devices for personal tasks — everything from gaming and content streaming, to homework and online shopping.
Here is where the research gets particularly interesting.
When asked, IT decision makers (ITDM) estimated around 33% of their employees were using their work computers for personal activities. If we do the math, this means around 37% of ITDMs are unaware of what their employees do with company devices in a remote-work scenario.
How do we bridge that gap?
Years ago, security and/or IT departments would announce edict-like policies without another word and expect full cooperation. These policies look good on paper but when humans are faced with rules that are hard to follow, or get in the way of their work, they find ways around them.
In this case, workarounds make valuable business systems vulnerable and need to be addressed, but introducing more rules to govern the original rules isn't the solution.
Here's the thing: There's nothing we can do to stop the behavior altogether. Jason, our founder and CEO, touched on this fact in What is Shadow IT? We can't solve these problems by simply blocking applications, creating more policies, or punishing people. Restrictive, punitive actions typically have the opposite effect.
But we can talk to people, try to understand them, and empathize with them. We can educate them. We can teach them that actions that seem innocent can be devastating. It's important to maintain an ongoing dialogue with your employees.
Just as folks need to understand what's acceptable and safe to do with employer-owned equipment, we need to understand what they're trying to accomplish with their actions and why. That level of understanding only comes when the parties involved engage in conversation.
There's also a certain level of acceptance that should come into play. Now, acceptance doesn't mean we grant blanket permission to people to do whatever they want. It means we embrace reality and save our energy for more proactive tasks, like security awareness and training.
But true education goes beyond the annual security course that's required for compliance purposes. We want to encourage a culture of security; to shift mindsets so people make security-conscious decisions by default. When employees make more informed choices, it's much easier for the IT team to be proactive.
Not to claim omniscience but, at Kolide, we knew something about this topic long before the pandemic-related research was published. We wrote in our Honest Security guide, that teams need to "anticipate and expect that end-users use their company-owned devices for personal activities."
From our experience, positive relationships among IT, security, and the rest of the company are incredibly important and absolutely worth the effort to foster; they're relationships built on trust and transparency. IT teams can benefit from more open communication, better data management and process efficiencies; the business can benefit from more collaborative decisions and increased productivity.
To foster an open, honest relationship, both sides need to talk. Be open about what you hope to learn from your employees, and what you hope they will learn from you.
Then empathize, embrace, and educate.