Shadow IT Friend or Foe?
Shadow or stealth IT doesn’t really lurk in the darkest corners of our organisations. On the contrary, shadow IT hides in plain sight. We see it every time one of our colleagues pulls out their personal smartphone or tablet and uses a free mobile app to share confidential business information across an unsecured network. At that moment your business is completely exposed to hackers, cyber-criminals and your competitors. You’re almost certainly in breach of data protection legislation. Worst case scenario, you find yourself on the wrong end of a lawsuit when angry customers take you to task because you failed to protect their personal data.
In October 2015 the TV, broadband and telecoms provider TalkTalk was the victim of a major cyber-attack. The incident reportedly cost the company 100,000 lost customers and an estimated £45m. However, a report by Kantar Worldpanel suggests the reputational costs might be much higher and the effects longer lasting. The report found that TalkTalk customers no longer perceive the brand as trustworthy. Kantar also suggests the true figure of lost customers is closer to 250,000.
Lost & Stolen Data Costs
In truth, the biggest threat to a company’s data security comes from its own staff. Careless employees, easy access to technology and lack of corporate guidance leaves many organisations dangerously and needlessly exposed to data breaches. Identity governance tech firm SailPoint say that 71% of company employees have access to data they shouldn’t. 80% of data is unstructured and resides in multiple locations. In 2015 the average organisational cost of a single lost file or stolen data record was $154 according to research by IBM and the Ponemon Institute. That’s an increase of nine percent on the year before. However, some data is worth considerably more to cyber-criminals for identity theft and fraud purposes.
The UK’s Information Security Breaches Survey 2015 says that for companies with more than 500 employees the average cost of a data breach was between £1.46 million and £3.14 million. For smaller firms the average cost of a data breach was around £75,000 to £310,800. Although the survey shows that external threats to data security have significantly increased, a company’s own staff are the main point of weakness. Respondents said that accidental human error (48%), lack of staff awareness (33%) and weak security vetting procedures (17%), all contributed to the data breaches suffered by their organisations.
Quick Staff, Slow IT
A recent report by NTT Com says that many IT departments are too quick to reject staff requests to try popular apps, but are slow to keep pace with the latest tech trends. Subsequently, 78% of staff use unauthorised Cloud services without IT’s knowledge. 57% of respondents said that half of all departments within their company used shadow IT solutions. 87% said they also believe the adoption of shadow IT solutions will only grow. However, probably the most worrying result was that 56% of respondents said they had absolutely no idea where their data resides when using shadow IT.
New Rules, Noncompliance & Malware
The European Union General Data Protection Regulations (EU GDPR) comes into force on May 25th 2018. Regardless of whether your business is within the EU or not, if you want to trade with EU states then you’ll need to comply with the new regulations. Penalties for those failing to meet the new requirements are extremely severe. A data breach could mean a corporate fine of four percent of annual global turnover or €20 million, whichever sum is greater.
Research by Cloud security firm Netskope found that 75% of 22,000 enterprise Cloud apps currently in use fail to comply with EU GDPR. What’s more, 11% of those apps are infected with malware. The Netskope website explains: “More than a quarter of malware was detected in files that had been shared with others, demonstrating the ease of propagation and risk of malware in the Cloud.”
Data Protection by Design
Something for software vendors to think about is the EU GDPR requires data protection safeguards be designed into products and services from the earliest possible stage of development. Data portability is another requirement that software providers and their customers will need to prepare for. One of the drivers of the new European legislation is the idea that consumers can request their personal data in an easily transferable, common digital format so they can switch from one service provider to another without restrictions. Members of the UK government have already expressed concerns that the costs of data portability compliance might prove a barrier to market entry and restrict innovation and development.
Out of the Shadows
The consumerisation of IT is an opportunity and a threat to many businesses. Lots of IT departments struggle to keep pace with the latest technological trends and innovations. Corporate governance has often been woefully inadequate in its understanding and response to the widespread adoption of shadow IT solutions by the workforce. The security risks aside, shadow IT clearly offers tools and technologies that make people more productive, collaborative and efficient. It also shows businesses what types of applications they should be buying rather than imposing IT solutions without proper consultation.
A Simple Plan
To maximise the potential gains from shadow IT and mitigate the risks businesses need to be smarter and more adaptable. As more staff and businesses adopt Cloud solutions it only makes sense to keep your anti-malware and anti-virus software updated. Rather than resisting the tide, businesses and IT departments should look at how they can safely embrace BOYD/BYOA (that’s Bring You Own Device/Bring Your Own App) policies and procedures. Companies must make more of an effort to communicate the benefits and dangers of using consumer-grade apps for work purposes. Similarly, employees need to take a greater burden of responsibility for the technologies they bring into the workplace.
As the PCI Security Standards Council’s guide Responding to a Data Breach says, “Preparing for the worst is the best defence.” Research by the Ponemon Institute and IBM suggests that having an incident response plan and trained team in place can significantly reduce the costs and collateral damage when a data breach occurs. Surely a little more pragmatism and imagination can bring shadow IT into the open, where everyone can decide for themselves if it’s a friend or foe.
Have Your Say
Has your organisation recently suffered a data breach or cyber-attack? How well did your organisation cope with fallout from such an event? Perhaps you regularly use consumer-grade apps to share confidential files, and have no idea where that data eventually ends up. If so, then share your knowledge and experience with us. I look forward to your contributions, and hope you’ll share this article with friends and colleagues.