By 2020, one in three successful cyber-attacks on organisations will be via shadow IT (Gartner) – in other words, the apps and software employees use without their employer’s approval or authorisation.
According to Vaughan Klein, Regional Manager of Collaboration at Cisco Australia and New Zealand, the billions of dollars Australian businesses invest in security annually could be for nought if they don’t steps to prevent sensitive information from being accessed and shared on Shadow IT.
Klein noted that part of the problem is that many employees are turning to unauthorised social networking apps and other collaboration resources because they’re impatient with employers that lack the flexibility or agility to adapt their communication methods quickly.
Dynamic Business spoke with Klein and Cisco ANZ’s general manager of security, Anthony Stitt about the business risk posed by shadow IT.
Dynamic Business:What is the scope of the risk posed by shadow IT?
Klein: There’s an increase in prevalence of consumer-based collaboration resources emerging within enterprises, which should be of deep concern, given that by 2020 one third of successful cyber attacks experienced by companies will be on their shadow IT, which analyst firm Gartner have referenced.
The natural ingress point of shadow IT is usually a collaboration tool, of some level or type, that allows them to go beyond their own organisational boundaries.
What needs to happen to block this increasing threat in an enterprise organisation is both ‘security’ and ‘compliance’. Compliance means the enterprise needs to have access to all the communication data between its employees, for example: if two brokers at a bank are communicating, that information needs to be recorded for possible auditing purposes or in the event of an enquiry. What happens right now with consumer-based tools is that you can either have total encryption end-to-end, which means that nobody can see it, allowing potential for brokers to participate in insider trading for example that is totally unauditable, or you have no security, which means you’re prone to attacks and cyber espionage.
The answer is to allow IT to have encryption compliance and auditing capabilities that, at the same time, are securing it from external attacks. It’s what we call the ‘Goldilocks’ policy of security – it’s not too tight, it’s not too loose, it actually represents what an enterprise collaboration tool needs to have in order to be compliant and secure.
Stitt: If we define shadow IT as unknown or unsanctioned cloud IT, then the normal ‘rules’ of security still apply: confidentiality, integrity and availability.
If employees are using IT outside the normal corporate boundaries, how can an organisation enforce policy, especially if the use of these resources is unknown? Even basic policies like passwords can’t be enforced, which means any data in shadow IT is potentially at a heightened risk of breach.
As services become more popular, the risk of an attack increases because they become more lucrative targets. Just about every online gambling service has been extorted and businesses solely reliant on online IT as a service are always at risk of attack.
Dynamic Business: What happens when businesses don’t address shadow IT?
Klein: If you’re using consumer-based technology for free, anything you are accessing means you’re not the customer; you’re the product being sold. Consumer apps want to trade on information and, within the T’s and C’s that you sign up to, you actually agree to them being able to utilise private information in exchange for access to that tool. It’s fine for individuals controlling their own data protection, but it’s a very different set of circumstances – and repercussions – for employees and organisations, potentially sharing sensitive information, who are subjected to legislation.
We’ve seen examples of organisations that haven’t invested in security and compliance, which in the worst cases are forced to go out of business or be subjected to legal proceedings. The list of things that can go badly as a result of the leakage or stealing of private information is vast. Whether that is records being stolen or someone snooping the network for a competitive advantage; dramatic things can happen if we don’t have security and compliance at the core of our collaboration.
Dynamic Business: What must businesses do to address this risk?
Klein: First we had mail, then it was email and now the new medium for communicating is messaging. Messaging needs to have a mobile first, cloud-connected capability in order for it to be ‘persistent and pervasive’.
The paperless office has not become a full reality, however what we have now is 5% of what we used to have, and I believe the same trend will occur with email; 5% of our communication will take place on email, and 95% will take place on messaging.
Gartner believes that by 2018, 50% of organisations will be using team-based, messaging-centric collaboration tools. So we’re going to see a very rapid take up in the coming weeks and I don’t think companies will have a choice. Companies need to bring this to the forefront of their collaboration strategy to circumvent the threat of Shadow IT.
Stitt: The first step is understanding how big of a problem Shadow IT really is. Just about every Cloud Access Security Broker (CASB) will audit current use of a wide variety of cloud IT so that a business or organisation can understand how much shadow IT they have.
The second step can be harder; creating and enforcing policies so that shadow IT becomes normal IT. Like all security, it is a mix of people, processes and technology. The business needs a policy about what forms of IT are OK for employees to use and how they are managed. Employees will need education about which cloud IT they are sanctioned to use and how to use it; and company administrators need to know how to manage those services that the business has sanctioned in the cloud. Finally, technology can play a role in ongoing audit and policy enforcement so that use of cloud IT stays within prescribed guidelines.
Dynamic Business: Are employers catching on to this risk and responding accordingly?
Stitt: Yes, there is much higher awareness and enforcement of policy for cloud IT. However, there are many cloud IT services easily available as platforms, infrastructure and/or software, and more appearing every day, so the ability of organisations to keep across all these online providers can be difficult.
Signing up for these services is also cheap and easy so corporate procurement is never involved…and we’ve seen examples of service charges escalating to hundreds of thousands of dollars before the organisation realised what was going on.