“Shadow IT” – How much is in your organisation?

bigstock-Business-Challenge--A-busines-32101016“Shadow IT” is any IT use within an organisation that isn’t known of or approved of by management.  The name might make it sound scary—and it is.  Shadow IT is everywhere in our digital world, and it can expose a business to severe problems that they may not even realise that they have

In most organisations, there is a level of control over the use of technology and cloud-based systems.  This job normally falls to management or the ICT department, who are charged with keeping the relevant digital information under some level of security.   In a lot of organisations, this is failing.

To most staff members, there is a mindset of wanting to get their job done and using any tools and resources to accomplish that outcome.   Although this level of motivation is commendable, the use of nonstandard resources can increase the attack surface of the organisation, exposing it to risks that managers and IT specialists thought the business was safe from.

The individual elements of shadow IT are not new.  I have spoken before about rogue access points within a network.   I have discussed the insider threat, and I have discussed the use of cloud technology to allow users to access digital information without the required controls and management.   This article is about all these situations.  They need to be brought up again, because the combination of all these problems within an organisation can cause unprecedented levels of danger.

There are three things that your business should be protecting at all times.  Your financial information, including access to your bank accounts.   Your intellectual property—this includes who you do business with, how you do business, your pricing structure and price book, and all the processes that you employ within your business.   And finally, your client list and your sales process. This is not in any particular order—they are all important.   All of this information is your digital fingerprint.

So why would your people expose that level of information to the outside world?   One reason is convenience—they do what they perceive as making their role in the business easier to perform.   One is being unaware or innocent of the dangers. The last is laziness, often combined with arrogance—they do not want to follow the rules because they “know best.”

Below, we’ll look at some possible ways to avoid these dangers.

The rogue access point

A rogue access point is an access point installed on a secure Wifi network without the approval of management or ICT.  This occurs when an employee, for instance, installs a wireless router to connect to the network.  Even if this is done without malicious intent, the existence of such an access point can allow bad guys to get into your network.

This has become a bigger problem than people think.  In some organisations, a smart switch will restrict the possibility of adding an unauthorised access point to the network.  A smart switch is expensive, but with the investment comes a more manageable network environment.   When employees gain unauthorized access to the network, it’s normally a convenience thing:   Someone wants to be able to use their tablet or phone without going through all those pesky restrictions and requirements.   With a smart switch, they don’t have to.  Plug the access point into the network, set it up with a simple password, and off you go.   No issues with people connecting to your network directly and having access to your IP.  It does not even cross their minds.   It may be that the worker wants to work from the cafe around the corner, and the best-laid plans are always the best, aren’t they?   That is until something happens!

The use of cloud-based systems

This is also a big problem.   Dropbox and Cubby have made it simple for anyone to install their applications and transfer business IP to an insecure location.   At the most basic level, there are two problems with this.  Privacy is a concern: who else can see the information, and, more importantly, where it is stored.   Yes, it could be convenient for a user to upload that project information to the cloud, but if it is stored outside Australia then Australian laws no longer apply.   When that happens, other countries do not need judicial involvement to get access to the information.   If it is IP, then you have a good chance of losing it to your competition—or even worse, to a start-up.  The solution to this is to have a policy in place about cloud storage apps, whether employees can use them in a work context, and which work-related data (if any) they can transfer to them.

The insider threat

You may have a policy in place that no USB, phones or tablets are to be plugged into your network, but by using the two ploys above, anyone can still remove information from your business without you realizing that it has happened.   Most small and medium businesses and not for profit organisations have to trust their employees— it is a case of survival.  But what happens when that trust is burned and the staff member is moving to the competition?   Are you sure that all of that important and critical information is not going with them?   How do you protect yourself from that?

Actually there are ways that you can have some level of protection.   Create resilience within the business through a positive culture.   Keep your fingers on the pulse of the business and if necessary get an outside company in to see who can be trusted on staff and to what level.

So what’s the main message here? If you don’t know whether your organisation has a problem with shadow IT, it probably does.   As always, your best defense is to educate yourself, be paranoid, and remember that your organisation’s cyber security is YOUR problem.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.