- Security TWENTY
- Women in Security Awards
Turn back the clock to 2008. The recession was in full swing and IT managers feeling the pinch decided to allow employees to use their own devices (in turn leading to the now ubiquitous term of bring your own device (BYOD)) to undertake their job, thus reducing capital expenditure and allowing IT managers to spend their budget elsewhere. Whether BYOD itself turned out to be good or bad is still a point of conjecture, especially when weighing up its benefits against potential security risks. What is true, however, is that it has played a big part in the current scourge of the IT Manager – Shadow IT – writes Steve Watts, pictured, co-founder of SecurEnvoy.
If you haven’t heard of the term Shadow IT yet, you will do soon. Shadow IT is used to describe information-technology systems and solutions built and used inside organisations without explicit organisational approval. It is also used, along with the term “Stealth IT”, to describe solutions specified and deployed by departments other than the IT department. Staff often download and install applications to help them complete their work more effectively. New software can either help them become more efficient generally or it has become necessary to use the software due to client demands. For example, someone may install Skype because the client only wants to run conference calls via video. However, these employees may feel they cannot approach the IT department to install this software as there is too much red tape, and will be denied the request. Gartner claims that Shadow IT regularly surpasses 30 per cent of a company’s IT spend. According to Atos, 36 per cent of that money is being spent on file sharing software, 33 per cent on data archiving, 28 per cent on social tools and 27 per cent on analytics. The worrying primary reason for shadow IT is the IT department’s inability to test and implement new capabilities and systems in a timely manner.
Pros and cons
There are undoubted benefits to Shadow IT. It lowers IT costs in a similar way to BYOD, increases flexibility, speeds up task completion and means the user isn’t constantly banging on the IT admin’s door. But there is a flipside. Shadow IT means no centralised IT oversight so an increase in organisational data silos, impeding cross-functional collaboration issues and increasing security risks. IT bosses are not left in the shadows, but completely in the dark on how securely corporate data is being accessed and shared by staff via unapproved application.
The security issue is unfortunately not only a critical one but a cultural one. When an employee casually uses an application such as Dropbox to transfer files there is likely to be little thought about the risk of potentially sensitive data – whether that is customer contact details, financial information or intellectual property – falling into the wrong hands. But the fallout could be catastrophic and lead to regulatory fines, customer distrust and reputational damage. This scourge of shadow IT has been accelerated by cloud adoption and cloud-based file sharing. According to a recent survey conducted by Fruition Partners of 100 UK CIOs, 84 per cent believe cloud adoption has reduced their organisation’s control over IT, with a staggering nine in ten believing unsanctioned use of cloud services has created long-term security risks. Specifically, 60 per cent of respondents said there is an increasing culture of shadow IT in their organisations, with 79 per cent admitting that there are cloud services in use that their IT department is not aware of.
When CIOs and IT managers search for additional security layers to protect sensitive data within an organisation, it is best to turn to technologies familiar to their staff. One perfect example is two factor authentication (2FA). The use of the technology has become widespread in the consumer realm, with consumers well versed in how to use 2FA and the importance of it to keep their own private data safe from prying eyes. The latest solutions incorporate near field communication (NFC) – used in Oyster Cards and by Apple Pay – allowing users to simply tap their smart devices to gain access to the information they need. Ironically, by installing an application all BYOD and work devices can be equipped with 2FA to ensure only authorised staff can use them.
While 2FA empowers users, CIOs and IT decision makers also benefit from a flexible solution that can be hosted how, where and when they prefer. 2FA is built to suit any business, as it supports both on premise and cloud hosting and management, making it a strong contender for any CIO changing their security systems. By using existing infrastructure, on premise deployment is often convenient, swift and straightforward, while cloud services are appropriately supported by the 2FA provider. This gives decision makers full control and flexibility over the solution, which can be rolled out to departments and employees at their discretion.
Shadow IT is here to stay
IT departments need to appreciate that it is so culturally inbuilt that shutting it down is now impossible; in fact, policies punishing the use of third-party apps would more likely push rogue users deeper into the darkness. The battle that can be won is to better educate staff and make Shadow IT an integral part of the company’s wider security awareness program. Some staff are aware of the problems, and will ignore them, but many just simply won’t understand why what they are doing could affect the whole business. The good news is that many of the popular shadow IT applications downloaded by staff – such as Dropbox, Skype and TeamViewer – already have the option for 2FA. By not only adopting 2FA for all BYOD and work devices, but reminding users to add this layer of security to the applications they are using for their business dealings too, would give IT managers piece of mind and is the answer to Shadow IT that until now has itself resided in the shadows.