Unauthorised app use, or shadow IT, is a security challenge that has increasingly plagued businesses as the lines between consumer and enterprise products have blurred. The likes of Dropbox, Box and Google Drive are common “enterprise” offenders that security teams may be aware of but, as research for a UK cloud security company shows, more people have actually shared documents over messaging apps like Whatsapp. CensorNet looked into the application and internet habits of 1000 UK adults, through personal data and insights platform CitizenMe. The survey found that 46 percent were guilty of a bad practice, that could put company data or the work network at great risk:
About a fifth, 22 percent have shared work documents over chat applications such as Whatsapp, Telegram, or Facebook Messenger. Some 18 percent have uploaded confidential work documents to Dropbox, Box or Google Drive without permission. A further 8 percent have accidentally shared a link to confidential files; and 16 percent used Dropbox, Google Drive, or similar to take company information to a new job. One in ten visited adult websites from a work device or using the work internet connection, and a further 13 percent admitted to downloading or viewing pirated content. And one in four used a work email account to authorise access to other services such as games, productivity apps or social media.
Ed Macnair, CEO of CensorNet said: “IT teams might not have even considered that staff are using personal messaging accounts to send work files, but they will now. As we see here, these apps increase the risk of people leaking sensitive data by accident or on purpose. Often there is no malicious motive behind it, it’s simply in people’s nature to find the easiest way to get their job done. But regardless of motive, it’s a gateway out of the building for your sensitive data and a way in for hackers, and security teams can’t afford to leave those gates unlocked.”
CensorNet says pirate websites are often cesspools of malware and viruses, which employees are potentially bringing into to the network. The cloud firm adds that while using a work email address for personal accounts sounds comparatively harmless, this means employees are putting their work credentials into the wild. Should one of those personal services be breached, as Yahoo or TalkTalk was, their leaked details could be harvested by cyber criminals to attack the company. People frequently use the same login details for multiple accounts, leaving the company vulnerable to brute force attacks.
Macnair added: “Sadly, it is shocking, but not surprising that employees are viewing and downloading adult or illegal content at work or on a company device – but it is the security team’s job to account for human fallibility. Simply blocking sites and applications isn’t enough – people will always find a work around, and fringe sites and apps are likely to be even more dangerous.” He said that businesses have to accept what employees are doing and bring them into the fold. “They should take a multi-layered approach to security, making sure all of the core threat vectors – email, cloud apps, websites – are being monitored and controlled so that threats can be quickly mitigated.”
Visit www.censornet.com.
