A survey of 500 workers and managers in the US and UK conducted by Osterman Research for cybersecurity firm Cerby, found that nearly half of respondents (47%) said they would accept a 20% pay cut in exchange for more trust from their employer.

Other features that researchers found employees love include flexibility (48%), autonomy (42%) and the ability to choose the applications they need to work effectively (39%).

The State of Employee Trust Report by Osterman and Cerby examines the impact of zero-trust principles that many companies are rapidly adopting as a solution to their cybersecurity needs resulting from the use of “unmanageable applications” by workers and managers.

“Applications are intimately tied to levels of employee engagement and empowerment. If employers try to block such applications, which they often do, it has a negative impact on trust.”said Matt Chiodi, chief trust officer at Cerby, a San Francisco-based zero-trust architecture provider for unmanageable applications.

“Sixty percent of employees said that if an application they want is blocked, it negatively affects how they feel about a company”Chiodi said.

“The answer is not for employers to block these applications, but to find solutions to manage the unmanageable”he has declared.

Workers under control

Security teams frown on the use of unmanageable applications, also known as shadow IT, for many reasons. “Employees come and go. An organization can end up with thousands of unused credentials accessing its resources”explained Szilveszter Szebeni, CISO and co-founder of Tresorit, a encryption-based security solutions of e-mail in Zurich.

“With a mountain of dormant logins, hackers are facilitated to break into some accounts that would go unnoticed and pave the way to infiltrate the organization through lateral movement”Szebeni told TechNewsWorld.

Unmanageable applications can endanger an organization because they have no control over security practices imposed on program development and management, noted John Yun, vice president of product strategy at ColorTokens, a standalone zero-trust cybersecurity solutions provider in San Jose, California

“The organization also has no oversight of application security update requirements,” Yun said.

Without any enforcement controls, organizations cannot trust access to their environments, said Mike Parkin, senior technical engineer at Vulcan Cyber, a SaaS provider for enterprise cyber risk correction in Tel Aviv, Israel.

“Letting employees choose the best tool for the job, especially when it works with their own equipment, is welcome,” Parkin said.

However, he stated, “It requires a compromise with the organization being committed to scrutinizing which applications it chooses and employees being willing to abstain when their favorite app isn’t on the approved list.”

Roger Grimes, a data-driven defense evangelist at KnowBe4, a security awareness training provider in Clearwater, Florida, took a tougher line on the matter.

“It falls to an organization’s cybersecurity risk managers to determine whether the risks incurred are worth the rewards,” Grimes said. “You don’t want the average end user to decide what is or isn’t risky for the organization any more than you want the average passenger to fly on an airplane.”

Is it worth the risk?

Applications are considered unmanageable because they often don’t support common security measures, such as single sign-on and automatic user addition or removal, Chiodi explained.

“This poses a risk to a business, but business users still need those applications,” he said. “Enterprises need to find ways to bring those applications to a point where they can be managed, in order to reduce those risks.”

Labeling applications as unmanageable is misleading, noted Marcus Smiley, CEO of Epoch Concepts, an IT solutions provider in Littleton, Colorado.

“They’re built without support for modern industry security standards, which makes them harder to monitor and secure,” Smiley said, “but while that means they can’t be managed like other applications, they can be managed in different ways. . ” “When unmanageable applications are used, there’s always some reason why,” he said. “Many organizations need of better communication between IT and employees to clarify company policies and the reasons behind them”.

“IT should also provide channels to request applications and be proactive in providing more secure alternatives to problematic ones”he added.

Smiley argued that in some situations, allowing unsupervised applications is appropriate to ensure that identity management best practices and more secure configurations are implemented instead of less secure ones.

“Ultimately, there is no risk-free cybersecurity strategy”he noted. “Every security program, even those with zero trust, includes trade-offs between mission-critical business functionality, productivity and risk.”

The safest approach is to have any application reviewed before adoption by a person or team experienced in cyber security for identify any problems that may arise from the use of the software or the service.

Ensuring legal terms are acceptable, as well as planning for ongoing maintenance, advised Chris Clements, vice president of solutions architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing firm in Scottsdale, Arizona.

“Unfortunately, many organizations lack the skills or resources to properly assess these risks, resulting in the process not happening at all, or just as bad, dragging on for weeks or months, which hurts employee morale and productivity ”Clements said.

“Balancing cybersecurity risk with employee needs is a practice organizations need to take more seriously”he has declared.

“Allowing a Wild West approach will inevitably introduce cybersecurity risks. But on the other hand, being overly rigorous can lead to choosing product or service solutions that are too heavily compromised in terms of usability and user convenience or simply deny approval altogether.”

“These can lead to frustration and lead staff to leave the organization or actively subvert security controls”has continued.

Misuse of zero-trust principles can also increase that frustration. “Zero trust is for data, access, applications and services”Chiodi said. “But when it comes to building trust on the human side, companies need to aim for high trust. The two things are not mutually exclusive. It is possible, but it will take a change in the way employers use security checks.”

“By offering technology options to employees, companies can demonstrate that they trust their employees to make technology decisions that help them do their jobs better”added Karen Walsh, director of Allegro Solutions, a cybersecurity consulting firm in West Hartford, Connecticut.