Espion urges firms to tackle apps in the workplace or risk information security breaches

Michael Romain: expert on app security at Espion

Michael Romain: expert on app security at Espion

Corporate information security specialist Espion is calling on firms not to overlook the risks posed by workers increasingly packing their own clouds and apps into their virtual briefcase without consulting the IT Department.

The growth of so-called ‘Shadow IT products’ (ie non-approved SaaS applications) has skyrocketed in recent years, with the latest research revealing that 81% of enterprise employees1 admit to using unauthorised applications.

The sheer scale of this issue was also highlighted at Espion’s recent 101 Series on App Security, with attendees agreeing it’s a growing concern in their organisations.

Without doubt, apps and cloud solutions such as Basecamp, Salesforce, Dropbox and Google Apps are great for productivity and flexible working. However, organisations need to be highly cognisant of the potential downside these time-saving, skill-boosting, collaboration-enhancing, process-streamlining (and more) apps and software pose to corporate information.

Michael Romain (Espion’s app security expert) explained: “From the loss of confidential data through to the disclosure of credentials, privacy violations and breaches of compliance, organisations need to consider what impact inadequate app security could have on their data protection obligations. Insecure mobile apps can leak device information and expose it to third parties, or they can store or transmit sensitive information unencrypted or in another insecure manner, in turn making a compromise more likely.”

Romain added: “It’s paramount CIOs take heed of the growth in consumer market technologies within the enterprise and recognise that this trend will continue to evolve. Organisations should plan ahead and fully address the governance and security aspects surrounding devices, apps and software.”

Evidence of widespread hacking 

According to a recent report compiled by Arxan Technologies, 97% of the Top 100 paid Android apps and 87% of the Top 100 paid Apple iOS apps have been hacked.

That same report also highlights evidence of the widespread hacking of financial services, healthcare/medical and retail/merchant apps largely driven by hacks of Android apps.

When it comes to protecting a company’s data confidentiality, integrity and availability, in addition to its resources and reputation, Espion highly recommends full consideration around ten key areas. These are as follows:

(1) Monitor your network to keep track of what Shadow IT is lurking in your systems

By continuously scanning and monitoring your network you will be able to identify Shadow IT and keep track of what’s going on.

To identify the cloud services being used outside of IT’s scope, you can process log data from your firewalls, proxies, SIEMS and Mobile Device Management products.

(2) Quantify the risks by knowing who has access to your corporate data

A key concern should be corporate data access and data confidentiality issues.

By identifying and understanding what data you’re processing, transmitting and storing you can then classify data into categories such as Confidential, Internal Organisational Use Only and Public, etc. This will help you to ensure the right levels of controls are used to protect the data.

(3) What’s the policy?

Consider having an ‘Acceptable Use Policy’ that states what apps, software and devices may be used in the workplace, what part of the network they’re allowed to access and the security procedures and protocols to which they must adhere.

(4) Make use of available ‘intelligence’ resources to find out about these apps

Currently, there are exciting new trailblazing technologies that help enterprises determine the ‘trust’ level of apps with all-in-one App Risk Management services and global databases of analysed public and private apps.

Apps can then be blocked based on your own risk appetite and enterprise policies.

(5) Communicate the risks to stakeholders

Explain to colleagues that when they deploy Shadow IT the configuring and managing process (applying patches, authentication and access controls as well as security testing) falls outside of the organisation. That makes organisations and their reputation vulnerable.

It’s also important to be aware that using external (ie non-enterprise) versions of online file stores, for example, may result in the loss of access control over data given that applications that do not remain directly in the control of centralised IT functions are often overlooked as part of the leavers/termination procedures and processes.

Enforce the use of approved applications meeting enterprise standards. When and where necessary, restrict network access to any workers who fail to comply.

(6) Fear free apps

While workers may think they’re saving money by opting for free apps, these technologies generate revenue by sharing user data with third parties like ad networks which then impacts on overall app security and privacy.

If you’re not paying for the app you and your company data are the product.

(7) Seek solutions to secure these apps and clouds

When it comes to controlling the extended enterprise both simply and securely, find a solution that can streamline widescale deployments by securing or restricting apps on an automatic basis.

(8) Don’t overlook licencing agreements

Shadow software and apps challenge software asset management compliance. What would your organisation do if unapproved software spurred a compliance/regulatory audit with the risk of attendant fines?

(9) Work with employees to tackle the issue

Aim to work with employees to tackle this issue and have a clear dialogue with business stakeholders about their particular business challenges and requirements.

Ultimately, IT should be enabling the business to work better and smarter at a known level of risk which is accepted by the business.

Remember to build awareness around the hazards of Shadow IT into your company-wide security awareness and training programmes.

(10) Perform security testing on a regular basis

Evaluate device security and usage of apps on a periodic basis.

Reference

1Gigaom Research and CipherCloud Report (November 2014)

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts