By CATHERINE A. CASEY (CEDS) – VICE PRESIDENT
For information security and e-Discovery, what you don’t know CAN hurt you
Copyright Forbes
Forget social media or big data for one second; the biggest vulnerability for many corporations and law firms today lies in the murky realm of Shadow IT. I first heard this term during an ACEDS (Association of Certified E-Discovery Specialists) podcast by Sharon Nelson discussing trends in the EDD (Electronic Data Discovery) space. It immediately conjured up images of nefarious dark web complete with hackers and porn. Thankfully, with some quick Googling, I discovered that while nowhere near as illicit and illegal, Shadow IT can be deadly dangerous to an organization.
What is Shadow IT?
According to Skyhigh networks, Shadow IT refers to information technology projects that are managed outside of and without the knowledge of the IT department. Shadow IT was previously limited to unapproved Excel macros and boxes of software employees bought at office supply stores. It has grown exponentially in recent years, with advisory firm CEB estimating that 40% of all IT spending at a company occurs outside the IT department. This rapid growth is partly driven by the quality of consumer applications in the cloud such as file sharing apps, social media and collaboration tools, but it’s also increasingly driven by lines of business deploying enterprise-class SaaS (Software as a Service) applications. In many ways, Shadow IT is helping to make businesses more competitive and employees more productive, but it also poses potential risks.
Unwitting Poster Child of Shadow IT
Presidential candidate and former Secretary of State, Hillary Clinton, has been dealing with the backlash over setting up a private email system outside the IT infrastructure of the White House. This rather sophisticated bypass of the IT infrastructure and protocols afforded Clinton complete autonomy and privacy of both work and personal emails. It also breached the information security protocols of the White House, exposed confidential State secrets to possible cyber intrusion and was “conjuring up an image of cloak-and-dagger messages passing between heads of State, skirting the Government server that secures, monitors and records sensitive emails.”
While Clinton went to an extreme, going so far as to secure a cloud-based server completely beyond the scope of IT, she is not alone by a long shot. Many and soon to be the majority of employees bypass the often slow and outmoded IT infrastructure in place at their company, in favor of reducing the number of devices they have to carry and/or employ cutting edge apps or SaaS-based solutions for their business problems.
How and why are Employees Turning to Shadow IT?
Often employees see IT and its security and controls as a hindrance to effectively and efficiently doing their jobs. As a result, they are increasingly turning to programs, devices and services beyond the oversight and control of the IT department. In a study conducted by IBM Security, it was found that 1 in every 3 Fortune 1000 employees, regularly saves and shares company data to external cloud-based platforms, which their companies cannot track.
BYOD
Bring Your Own Device (BYOD) is perhaps the most discussed form of Shadow IT and it’s now the new norm, stemming from the desire to have the newest tech and to avoid the inconvenience of carrying duplicate devices for personal versus business purposes. Simply put, BYOD is the policy of permitting employees to bring personally owned mobile devices (laptops, tablets and smartphones) to their workplace and to use those devices to access privileged company information and applications.
Full infographic available at here
While BYOD may be the new norm, the fact that it’s codified in many corporate handbooks and policies, it doesn’t negate the risk to which it exposes corporations, rather it’s an act of attrition in the face of an unstoppable force. A recent study found that 67.8 % of smartphone owning employees bring their own smartphone to work, 15.4% of these do so without the IT department’s knowledge and 20.9% do so despite an anti-BYOD policy.
Apps
When Apple first started selling iPhones there was a closed system in place for the development of apps and there were merely 800 from which to choose. As of July 2015, that number had grown exponentially to over 1.5 million in the Apple store alone and as of June 2015, Apple announced there have been over 100 billion apps downloaded.
A new generation of cloud productivity applications, such as enterprise social networking, file sync/share and IM/VoIP are increasingly being used by employees on personal and company devices. This has been coined as Bring Your Own App (BYOA) and carries with it many of the same inherent risks of BYOD for system security and integrity.
Cloud Computing
Cloud computing and related SaaS/Platform as a Service (PaaS) applications have created a new avenue for employees and entire departments to easily circumvent internal IT.
External Email
With the ubiquity of BYOD, the intermixing of work and private emails is an unfortunate but foregone conclusion. Some commingling is completely accidental – due to the proverbial butterfinger moments (we all have them), having the wrong email set as default or pressing Send before verifying which account you are sending from. Sometimes the ‘mistake’ is less innocent and specifically done to remove the company or to share it with someone the company would rather not have it shared with.
What’s the big deal?
Many of the employees turning to Shadow IT are doing so to do their job better. Unfortunately, when they are looking to get work done better and faster, they often are not thinking of the data security, compliance and big picture continuity impact their action may have.
The risks posed by unregulated use of external applications were highlighted recently when Chinese iOS developers disclosed a new OS X and iOS malware on Sina Weibo. Alibaba researchers then posted an analysis report on the malware, giving it the name XcodeGhost. Compromised applications include popular mobile chat app WeChat, Uber-like car-hailing app Didi Kuaidi and a Spotify-like music app from internet portal NetEase Inc.
Malicious malware is not the only or even the greatest risk. Often times devices and their confidential valuable information are lost by employees, stolen and when IT is not involved in monitoring and remotely wiping the systems, the lost data is vulnerable.
What can you do?
Companies end up paying dearly for the perceived benefits from Shadow IT. But it does mean no centralized IT oversight, fortifies organizational silos, impedes cross-functional collaboration and increases security risks. So what can an enterprise do to mitigate the risk while not stifling employee initiative and increase efficiency?
- Have a clear IT policy addressing internal and external IT resources
- Identify weaknesses within it that caused the need for Shadow IT in the first place
- Re-establish relationships with departments and individuals that regard the IT department as a hindrance to their job
- Reinstitute the IT department as the single gatekeeper for technology solutions in the workplace
- Embrace Shadow IT, cautiously.
It’s not all bad news
As the saying goes: “if you cannot beat them, join them” and in the case of Shadow IT “for most IT organizations, resistance is futile,” said Simon Mingay, vice president of research at consulting firm Gartner. “Better to embrace it and acknowledge that employee IT and digital skills in the increasingly digital workplace are an opportunity to innovate and create more value from IT and digital investments.”
Mingay further advises CIOs to adapt and change the nature of the IT engagement, “to bring Shadow IT out of the shadows; make it transparent; provide services that support it.”
Out in the light, the role of IT adapts to one of “managing the critical and complex enterprise solutions, while guiding, nudging and shepherding elsewhere.”
Understand your risks, Contact us today
Share Your Thoughts:
