oporkka - Fotolia

Shadow IT lurking in Southeast Asia

Singapore and Malaysia have the highest proportion of employees who use unapproved personal devices at work, according to a VMware survey

Over a third of employees in Southeast Asia are using unapproved personal devices for work, putting their organisations at risk of falling prey to data breaches and cyber attacks, a new survey has found.

Among 2,000 professionals surveyed by VMware across Southeast Asia on their bring your own device (BYOD) habits, a further 38% failed to comply with their company’s IT policies or do not know them at all.

The biggest culprits in the region were employees from Singapore, where one in two respondents said they did not always comply with IT policies. This was followed by Malaysia (42%), Indonesia (38%) and Thailand (24%).

In a separate study by Fujitsu, nearly one in five business leaders in Singapore are already bypassing IT departments to make technology purchases at their own discretion in what is commonly known as shadow IT.

Singapore and Malaysia also had the highest proportion of all users (both at 38%) who use unapproved personal devices at work, followed by Indonesia (34%) and Thailand (30%).

Whether the devices were sanctioned by IT departments or not, a majority of employees (65%) across the region used them to check work emails and 41% used them for accessing work files.

In Thailand, 52% of employees used mobile devices to conduct financial transactions, followed by Malaysia (37%) and Singapore (28%), where respondents were least keen on making financial transactions on their mobile devices.

Read more about enterprise mobility in APAC

Even though enterprise mobility is generally gaining wider adoption across the region, perennial challenges abound.

At least 79% of respondents said they struggled with work apps, partly due to user interface issues that could affect productivity. Some 34% grappled with differing interface experiences, while 32% reported that their apps did not sync across devices.

Another challenge with devices was having too many passwords to remember, faced by 45% and 42% of respondents in Singapore and Malaysia, respectively.  

Not surprisingly, 33% of employees in the region used the same password across multiple devices and 29% saved passwords as notes on mobile devices, exposing their organisations to cyber security attacks.

On a country level, at least 37% of Thais and 31% of Singaporeans preferred to use the same password across devices. In Malaysia and Indonesia, the figures were 29% and 25%, respectively.

Balancing consumer preferences with enterprise security

Ron Goh, president at VMware Southeast Asia and Korea, noted that as the benefits of digitisation extend across an organisation to include a broader set of employees and endpoints, there is an urgent need to balance consumer preferences with enterprise security.

He said the gaps, vulnerabilities and inefficiencies unveiled by the survey underscored the need to plug gaps that could significantly hinder competitiveness and growth among organisations in Southeast Asia.

The answer to plugging those gaps, however, may lay with exerting greater control over mobile devices through alternative mobility approaches such as corporate owned, privately enabled (Cope).

This means employees can choose from a list of corporate-owned and approved devices, which can also be used for personal purposes. This is less rigid than approaches that enable employees to choose from a list of corporate-owned devices to be used for business purposes only.

Experts have said the choice of approach depends on an organisation’s risk appetite and IT support costs.

Regulated industries such as financial services tend to prefer Cope where devices can be centrally managed, while negating the need for employees to carry separate devices for work and play.

BYOD is favoured more by organisations without strict data sovereignty requirements, although support costs can grow quickly for devices that have not been tried and tested in a corporate IT environment.

Read more on IT risk management