This morning, between getting up and getting the kid’s breakfast, long before I sat down in the office for a long day of meetings and work, I opened an email on my iPad and saved an attachment into my Dropbox. I proceeded to edit the attachment, add my view on some of the reported figures and I forwarded on the document link to several of my colleagues.
This period of about ten minutes enabled me to get a clear view of a meeting I was due to have later on that day and it also allowed me to start work without actually being in the office. Most importantly it meant I could drop my children to school and gave me flexibility with my office starting time.
It was of course also unsupported by Certification Europe’s IT department. The iPad is my private piece of equipment, a birthday present from last year. Dropbox is a storage solution that many people in our company use but we pay nothing for it and our IT department cannot fix it if it were to ever go down. This is the ever growing world of Shadow IT and how you handle it can determine how your business succeeds in the future.
Loss of control
The IT department’s life used to be much simpler. Traditionally the office as a concept was a closed environment. All hardware and equipment was provided by the business, all files were stored on site. To prevent data breaches or malware intrusion one simply had to control the USB ports, disk drives and install a strong email filter.
Technological development never rests and internal IT policies are changing at a positively glacial rate compared to how quick applications and products are being developed. Bring Your Own Device or BYOD was the phrase in Information Security over the last few years but even this has now been surpassed by Shadow IT.
“Shadow IT”, the latest phrase for the informal layer of IT built and used inside your organisation that you have almost no control over. From smartphones to web-mail, tablets to Skydrive it seems that every day there is a new killer app or device that makes office work so much easier for everyone, except the information security officer and the IT staff.
This loss of control should be addressed head on, burying your head in the sand will only give you a long term headache, especially when you suffer from a data breach or find that you systems have been compromised.
By setting the agenda you begin to regain the control that you have lost. A good Information Security policy should be reviewed for new risks, if not monthly then at least quarterly, however with the pace of technical development more often would be advisable.
By staying up to date with new apps, devices and developments you can better maintain your risk register, as laid out in any working Information Security system, and a thorough risk analysis of all threats posed to a company is half the information security battle. This leads on to the more difficult aspects on the job, saying “No”.
Telling one of the lower level staff that they cannot have their email un-encrypted on their brand new smart phone is a whole lot easier than telling the Chief Executive Officer that he cannot access his mails on his iPad (I should know!) but this infrastructural control must come from top down.
Senior management have to be subject to the same risk assessment as all other staff member. If a control does not apply to all staff then that is just a weakness in the system that can be exploited.
We cannot be Luddites though; resistant to all change leaves us vulnerable to one of the constants in business. If it comes down to actually accepting a user’s device then do it on the company’s terms.
“You can access your email but you must encrypt your smart phone. You must also program your phone to require an access code / gesture and install a remote wiping function on your phone to minimise data loss. Only then will you be able to get access to our corporate infrastructure on your personal device. Don’t worry, we will show you how”.
Just as with all other information security issues training is vital. Training will help to make people aware of the risks associated with working outside the safety of the provided office environment. It also helps ensure that staff members keep information security at the forefront of their mind at all times. Staff should also be advised to read the terms and conditions of third party applications that they choose to use. Blindly accepting T&Cs is an easy way to lose ownership of the important document or data.
From my own personal example we have a business Dropbox account. When we looked at our own risks from using Dropbox we didn’t want to ever face a situation where if someone left that they could accidentally, or maliciously, remove some of our files. Our control to this risk is a company owned account, linked to an email account and installed on a partition server that new staff are invited to use.
These controls are what moves “Shadow IT” from a potential data breach risk into a tangible benefit to an organisation.
Innovation emerges from the shadows
Shadow IT can bring you substantial benefits. I have seen cases where it has allowed staff to work from the field much easier. Sales men free from the office can complete more deals and bring in greater revenues. Information can be shared quicker and work flows much easier from end to end. It also frees staff up from needing technical skills to do some very powerful networking options.
Explaining how to map a drive in a Windows Network is much more difficult than sharing a document in Dropbox. The same applies to Skydrive, iCloud or any of the other cloud platforms that by their very design are easy to install and use.
Google Apps allows two users to both simultaneously access, edit and share spread sheets and other documents, and this promotes that much sought after business utopia, collaboration.
The benefits are as many and as numerous as the workers in our companies because Shadow IT uses the ingenious of staff to plugs the holes in their daily routines.
Embracing Shadow IT with a flexible but firm risk analysis will be the haw mark of organisations that have a strong performance and a robust data security policy.
Michael Brophy | www.certificationeurope.com | @CertEurope_
Area of Expertise:
Michael is an expert in the fields of national and international standards and compliance assessment. He has over 15 years’ experience in information security standards for government, military and various business sectors (pharmaceutical, telco, financial, IT and security printing sectors).
Professional Biography:
Michael Brophy is Founder and CEO of Certification Europe which was founded in 2001 with Head Quarters in Dublin, Ireland. In 2012 Certification Europe Limited opened their London operation which, along with offices in Belfast, Turkey, Japan and Italy, is a group of accredited certification bodies which provides ISO Certification and Inspection services to organisations globally.
Michael is a graduate of the University of Ulster and the Universidad de Zaragoza (Spain), with a Master in European Policy and Regulation at Lancaster University, and is one of Ireland’s leading authorities on standardisation. Michael has a wealth of experience in Information Security and Business Continuity Management Systems implementation for Government, military and various business sectors (pharmaceutical, telco, financial, IT and security printing sectors).
Michael has particular expertise in the field of electronic signatures; developing national legislation and national regulatory bodies to govern the use and legal basis for electronic signatures. He has previously advised on the establishment of standards at a national and international level, and he would be viewed as one of Ireland’s leading authorities on standardisation and has served on various EU Commission committees.
Certification Europe is the only Irish accredited certification body operating in the field of Business Continuity standards, it was the first accredited industry player in Ireland to offer Information Security and IT Service Management Systems assurance schemes, and it is a world leader in Energy Management System certification.
Michael is also Chair of the Association of Accredited Certification Bodies (AACB).
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.