Ironically, the biggest risk to a company’s data security could actually come from internal users who want to make their systems more responsive and efficient.
—Spohn Security Solutions offers advice on how to handle and defend against this latest internal threat phenomenon.
(Austin, TX) February 27, 2018 – In the age of the internet and big data, cyber security is a lot more than protecting equipment and files from storms, spies and personnel issues. It ensures that no harm comes to the data and that no one is able to read it unless desired. The latest concern has its own name – “Shadow IT.” This means access to important data in the cloud that doesn’t go through the traditional IT channels. Basically, employees use non-sanctioned applications or devices inside the business that may be a source of risk.
Spohn Security Solutions’ purpose is to help clients find vulnerabilities in their cyber presence before hackers do. With shadow IT on the rise, Spohn has several suggestions to mitigate risks it can cause. Timothy Crosby, Senior Security Consultant for Spohn Security Solutions suggests, “To eliminate the problem of shadow IT, we need to start with understanding what causes it in the first place. Simply put, it comes down to enterprise IT not serving business needs well enough.”
Typically, the IT group is too slow or not responsive for the appetite of business users, too costly and doesn’t align well with the business needs. IT focuses on functional costs per unit as the value it delivers; but the business cares more about gaining quick functionality and capability to serve its needs. Enterprise IT simply doesn’t operate at the speed of business. So, the business users build their own functionalities and capabilities through shadow IT purchases.
Internal incidents top the list of breach causes in 2016, at 41 percent according to Forrester Research, and estimated up to 60 to 70 percent by other analysts. Even external attacks ultimately involved attackers targeting and taking advantage of insiders and using user authentication credentials. (1)
Further, users subscribe to many IT services that don’t go through the enterprise IT shared services budget, and enterprise IT doesn’t make the decisions for administering it. Shadow IT includes purchases of SaaS (Software as a Service) and cloud and collocation hosting services. It’s also the teams of people hired by the business (but not put into corporate IT) who do development and application support or PC support. (2)
Part of the challenge of defending against shadow IT is defining it. In many companies, shadow IT is considered a hardware issue. In addition to bring your own device (BYOD) policies, the IT department is on the lookout for rogue wireless devices including unauthorized Wi-Fi repeaters that might enhance a signal enough to pass beyond a company’s physical boundaries, as well as authorized employee hardware that has been modified for wireless communication. (3)
To get your organization’s shadow IT problem under control, make sure you understand what the biggest cloud security risk is, it’s the employees who use shadow IT. (4)
While security training and awareness programs go a long way toward preventing internal breaches, organizations often struggle to enforce policies against employees who adopt unsanctioned shadow IT technology and data practices in order to maximize workplace efficiencies. At this point there’s no way to completely stamp out these practices; they’re too widespread.
Spohn’s Crosby recommends that systems to detect and prevent damage from shadow IT should ensure that your IT group perform better than the shadow IT. Some measures to have in place include:
- Cloud app discovery and risk assessment included in web security;
- Data Loss Prevention (DLP)security analytics for web and email;
- Advanced malware detection;
- Web security appliances with SSL decryption mirror port;
- Certified cloud service offering GDPR compliance controls; and
- Programs should include ISO 27001 and CSA STAR certifications.
These are not all, Crosby says, but a good start to get shadow IT out in the open and mitigate any damage it might cause.
About Spohn Consulting:
Spohn Consulting, Inc., an Austin, Texas-based privately held company established in 1998 by Darren L. Spohn, is an authority in navigating fortune 500 companies and medium-to-small businesses through security business challenges of the 21st Century. Spohn Consulting works with organizations to assess their information security posture (the security status of an enterprise’s networks, information, and systems based on Identification and Authorization resources, e.g., people, hardware, software, policies, and capabilities in place to manage the defense of the enterprise and to react as the situation changes), offer customized instructor-led training, and sell telecom services. Utilizing varied scopes of engagement, they deliver recommendations which can be measured against best practice or compliance standards.
1 Preimesberger, Chris J. “Forcepoint Fights Shadow IT with Cybersecurity Analytics Functions.”EWEEK, 10 Feb. 2018.
2 Samuel, Pete Bender. “How to Eliminate Enterprise Shadow IT.” www.cio.com, 11 Apr. 2017.
3 Lawton, Stephen. “Shadow IT: How To Detect And Mitigate Cloud Security Risks – Shadow IT: How to Detect and Mitigate Cloud Security Risks.” Tom’s IT Pro, 7 July 2015.
4 White, Lara. “The Biggest Cloud Security Risk Lurking in Your Company’s Shadow IT.”https://Ciphercloud.com, 3 Apr. 2015.