Contact us: +45 32 67 26 26
English

Guidelines for Approving Free Online Tools for Employee Use

Anders Bryde Thornild
By: Anders Bryde Thornild Cyber Security | 8 December

In today's business world, an endless array of free online tools is available to help employees be more productive. E.g., PDF editors, file-sharing tools, and translation software just to mention a few.  While it's tempting to allow employees to use all these tools, we recommend that companies either have a set of guidelines about what to be aware of as an employee or a list of tools that have been vetted by the IT department. It can also be intriguing to block all free tools, but you might meet resistance from employees, and make your company less effective. So, the question is what criteria should the IT department use when assessing these tools? Here are a few things to consider.

We recommend people ask IT who create the guidelines

You can’t expect employees to be able to evaluate and figure out what tools are trustworthy or not as there are a bunch of potential security risks to be awar e of when using online tools. Therefore, we always recommend employees ask the IT department before they use a new free tool. But this means that people might come running with questions about random tools all the time. In a dream scenario, the IT department would make a risk assessment of each tool but of course, this could take a lot of time. Therefore, it can be helpful to have a set of general guidelines that indicate what people can use and when.

Creating guidelines for free tools can be difficulty

It can be difficult to create bulletproof guidelines and there will always be edge cases. If people stumble upon these edge cases, they should ask IT. But to return to the guidelines you should consider creating, then there are a few things to consider that will determine if employees should be allowed to use the tools (PS: we have a template for creating an Acceptable Use Policy, which is basically guidelines for IT usage).

Data Security is important to consider

One of the most important considerations when approving free online tools for employee use is data security. When assessing a tool, IT managers should ask themselves whether employees will be giving away any important company data when using the tool. If so, it's probably best to steer clear. An example could be a PDF-merging tool that can merge two PDFs. If it’s used to merge a recipe for lasagna, it’s probably fine to use (at least from a data perspective, I'll return to other potential dangers later), but if it’s used to merge files with customer data in it, then this might be an issue as you might be sharing this data with a third party that you don’t know. Suddenly, it’s a question of data processor policies and so on.

Will users be downloading files?

Another thing to consider is whether users will need to download anything from the free tools in order to use the tool. In the PDF example from above, a user would normally upload two PDFs which would then be merged by the tool. After being merged the user will download the file.  In many cases, downloads can introduce security risks into a company's network. For this reason, it's generally best to avoid tools that require downloads unless you know and trust the company that created the tool. You never know if the PDF you receive is infected with malware or something like that. You could research the tool and look for reviews through G2, Trustpilot, or other platforms but you can’t expect your employees to do that. They were probably looking for a quick solution. Therefore, a recommendation could be that employees are not allowed to use tools where they need to download anything unless it’s approved by IT . On the other hand, if you trust your employees to do the research properly, then they might be allowed. The guidelines could state that it’s allowed if the research is done beforehand. You know your co-workers the best.

Do employees need to install programs?

Finally, IT managers should also consider whether employees will need to download and install a program in order to use the tool. In most cases, programs introduce even greater security risks than downloading files does. You potentially give access to your systems and you should be cautious with this. A lot of companies have blockers that prevent employees from installing programs. Again, it takes research to make sure you can trust the vendors. It might be best if the IT department does the research, but it depends on your setup in your organization.

Keep an eye on what people are asking for

There’s probably more things to consider when it comes to free online tools, but the above 3 are in our eyes key considerations. Another small tip for your IT department is to keep an eye on what people are asking for. Let’s say that 5 different employees ask to use some kind of free PDF merger tool then it might be worthwhile considering finding a tool that can solve this issue as it’s something people need in their daily operations. You can then help people become more productive while also deleting a potential security risk.

Create awareness in your company

Before creating guidelines and going too deep into risk assessments and so on, the most important thing you can do is to simply make your employees aware that tools like these might be harmful. Not everyone might think to ask IT when they just want a quick solution to a problem. Make sure to raise awareness of the issue among your employees. Inform them that any new, unapproved tool must go through IT if no other rules are in place. In this way you will start getting questions and that might help you learn what users are actually using or wanting to use. 
 
In CyberPilot's awareness training we have a course for this very purpose of spreading awareness about free online tools