Shadow IT: What You Don’t Know CAN Hurt You

Posted by ediscoverycat on September 26, 2015 · Leave a Comment

For Information Security & eDiscovery, What You Don’t Know CAN Hurt You

Forget social media or big data for one second, the biggest vulnerability for many corporations and Law firms today lies in the murky realm of Shadow IT. When I first heard this term, yesterday, while listening to an ACEDS Podcast[i] by Sharon Nelson discussing trends in the EDD space, it immediate conjured up images of nefarious dark web complete with hackers and Kiddie porn. Thankfully, with some quick googling I discovered that while nowhere near as illicit and illegal, Shadow IT can be deadly dangerous to an organization.

What is Shadow IT?

According to Skyhigh networks, Shadow IT [ii]refers to information technology projects that are managed outside of, and without the knowledge of, the IT department. Shadow IT was previously limited to unapproved Excel macros and boxes of software employees purchased at office supply stores. It has grown exponentially in recent years, with advisory firm CEB estimating that 40% of all IT spending [iii]at a company occurs outside the IT department. This rapid growth is partly driven by the quality of consumer applications in the cloud such as file sharing apps, social media, and collaboration tools, but it’s also increasingly driven by lines of business deploying enterprise-class SaaS applications. In many ways Shadow IT is helping to make businesses more competitive and employees more productive but it also poses potential risks.

Unwitting Poster Child of Shadow IT

Presidential Candidate and Former Secretary of State Hillary Clinton has been dealing with justifiable backlash over setting up a private email system outside the IT infrastructure of the Whitehouse. This rather sophisticated bypass of the IT infrastructure and protocols afforded Clinton complete autonomy and privacy of both work and personal emails, but it also breached the information security protocols of the Whitehouse, exposed confidential state secrets to possible cyber intrusion and as “conjuring up an image of cloak-and-dagger messages passing between heads of state, skirting the government server that secures, monitors and records sensitive emails”[iv]

“It is very difficult to conceive of a scenario — short of nuclear winter — where an
agency would be justified in allowing its cabinet-level head officer to solely use a private email communications channel for the conduct of government business.” – Jason R. Baron to the New York Times

While Clinton went to an extreme, going so far as to secure a cloud based server completely beyond the scope of IT, she is no alone by a long shot. Many and soon to be the majority of employees bypass the often slow and outmoded IT infrastructure in place at their company in favor of reducing the number of devices they have to carry and/or employing cutting edge Apps or SaaS based solutions for their business problems.

How and Why are employees turning to Shadow IT?

Often times employees see IT and its security and controls as a hindrance to effectively and efficiently doing their jobs. As a result, they are increasingly turning to programs, devices and services beyond the oversight and control of the IT department. In a study conducted by IBM Security, it was found that 1 in every 3 Fortune 1000 employees regularly saves and shares company data to external cloud-based platforms, which their companies cannot track.[v]

BYOD

Bring Your Own Device (BYOD) is perhaps the most discussed form of Shadow IT, and it is now the new normal. Stemming from the desire to have the newest tech and to avoid the inconvenience of carrying duplicate devices for personal vs. business purposes. Simply put BYOD is the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications.

BYOD is the new normal, but the fact that it is codified in many corporate handbooks and policy does not negate the risk it exposes corporations to, rather it is an act of attrition in the face of an unstoppable force. A recent study found that 67.8 per cent of smartphone-owning employees bring their own smartphone to work, and 15.4 per cent of these do so without the IT department’s knowledge and 20.9 per cent do so despite an anti-BYOD policy.

Apps

When apple first started selling iPhones there was a closed system in place for the development of Apps and there were merely 800 to choose from. As of July 2015, that number had grown exponentially to over 1.5 Million in the apple store alone and as of June 2015 Apple announced there have been over 100 billion apps downloaded.

A new-generation of cloud productivity applications, such as enterprise social networking, file sync/share and IM/VoIP are increasingly being used by employees on personal and company devices. This has been coined BYOA, bring your own App and carries with it many of the same inherent risks of BYOD for system security and integrity.[vi]

Cloud Computing

Cloud computing and related SaaS and PaaS applications have created a new avenue for employees and entire departments to easily circumvent internal IT. In a study conducted by IBM Security, it was found that 1 in every 3 Fortune 1000 employees regularly saves and shares company data to external cloud-based platforms, which their companies cannot track.[vii]

External Email

With the ubiquity of BYOD commingling of work and private emails is an unfortunate but foregone conclusion. Some commingling is completely accidental – due to the proverbial butter finger moments (we all have them), having the wrong email set as default or pressing send before verifying which account you are sending from. Sometimes the “mistake” is less innocent and specifically done to remove company or to share it with someone the company would rather not have it shared with.

Cloud Computing

What’s the big deal?

Many of the employees turning to shadow IT are doing so to do their job BETTER. Unfortunately, when they are looking to get work done better and faster they often are not thinking of the data security, compliance and big picture continuity impact their action may have.

The risks posed by unregulated use o external applications was highlighted just last week with when Chinese iOS developers disclosed a new OS X and iOS malware on Sina Weibo. Alibaba researchers then posted an analysis report on the malware, giving it the name XcodeGhost. [viii] Compromised Applications include popular mobile chat app WeChat, Uber-like car-hailing app Didi Kuaidi, and a Spotify-like music app from Internet portal NetEase Inc.

Malicious malware is not the only or even the greatest risk, often times devices and their confidential valuable information are lost by employees, or stolen, and when IT is not involved in monitoring and remotely wiping the systems the lost data is vulnerable.

What can you do?

Companies end up paying dearly for the perceived benefits from shadow IT: No centralized IT oversight fortifies organizational silos, impeding cross-functional collaboration and increasing security risks. So what can an enterprise do to mitigate the risk while not stifling employee initiative and increase efficiency?

Have a clear IT policy addressing internal and external IT resources
Identify weaknesses within IT that caused the need for Shadow IT in the first place.
Re-establish relationships with departments and individuals that regard the IT department as a hindrance to their job.
Reinstitute the IT department as the single gatekeeper for technology solutions in the workplace.
Embrace Shadow IT, cautiously

It’s not all bad news

As the saying goes if you cannot beat them join them, and in the case of Shadow IT “for most IT organizations, resistance is futile,” said Simon Mingay, vice president of research at research consulting firm Gartner. “Better to embrace it and acknowledge that employee IT and digital skills in the increasingly digital workplace are an opportunity to innovate and create more value from IT and digital investments.” [ix]

Mingay further advised that CIOs adapt and change the nature of the IT engagement, “to bring shadow IT out of the shadows, make it transparent, provide services that support it.” Out in the light, the role of IT adapts to one of “managing the critical and complex enterprise solutions, while guiding, nudging and shepherding elsewhere.”.

Cat Casey

[i] Nelson, Sharon. “ACED Interview: Trends in EDD and Digital Forensics.”‘Ride The Lightning’ Sharon Nelson, 21 Sept. 2015. Web. 22 Sept. 2015.

[ii] “What Is Shadow IT? | Skyhigh Networks.” Skyhigh Networks. Skyhigh, n.d. Web. 22 Sept. 2015.

[iii] Groenfeldt, Tom. “40 Percent Of IT Spending Is Outside CIO Control.”Forbes. Forbes Magazine, 2 Dec. 2013. Web. 22 Sept. 2015.

[iv] Kaneshige, Tom. “Hillary Clinton Is Now the Face of Shadow IT.” CIO. N.p., 12 Mar. 2015. Web. 22 Sept. 2015.

[v] On behalf of IBM Security, Ketchum Global Research & Analytics (KGRA) conducted an online survey using the services of Ipsos Public Affairs. The survey interviewed 1,001 full-time employees at Fortune 1000 companies. The survey was fielded from July 27 to 31, 2015.

[vi] “Number of Apps Available in Leading App Stores 2015 | Statistic.”Statista. N.p., July 2015. Web. 22 Sept. 2015.

[vii] On behalf of IBM Security, Ketchum Global Research & Analytics (KGRA) conducted an online survey using the services of Ipsos Public Affairs. The survey interviewed 1,001 full-time employees at Fortune 1000 companies. The survey was fielded from July 27 to 31, 2015.

[viii] Xiao, Claud. “Malware XcodeGhost Infects 39 IOS Apps, Including WeChat, Affecting Hundreds of Millions of Users – Palo Alto Networks Blog.”Palo Alto Networks Blog. N.p., 18 Sept. 2015. Web. 22 Sept. 2015.

[ix] Benham, Russ. “Why CIOs Should Be Happy About Shadow IT.” Forbes. Forbes Magazine, 4 May 2015. Web. 22 Sept. 2015.

Filed under Analytics, Big Data, Cloud Computing, Compliance, Data Privacy, eDiscovery, New, Risk · Tagged with BYOD, Cybersecurity, data, IT, Shadow IT

eDiscovery Cat