Corporate information security specialist Espion is calling on firms not to overlook the risks posed by workers increasingly packing their own clouds and apps into their virtual briefcase without consulting the IT Department.
The growth of so-called ‘Shadow IT products’ (ie non-approved SaaS applications) has skyrocketed in recent years, with the latest research revealing that 81% of enterprise employees1 admit to using unauthorised applications.
The sheer scale of this issue was also highlighted at Espion’s recent 101 Series on App Security, with attendees agreeing it’s a growing concern in their organisations.
Without doubt, apps and cloud solutions such as Basecamp, Salesforce, Dropbox and Google Apps are great for productivity and flexible working. However, organisations need to be highly cognisant of the potential downside these time-saving, skill-boosting, collaboration-enhancing, process-streamlining (and more) apps and software pose to corporate information.
Michael Romain (Espion’s app security expert) explained: “From the loss of confidential data through to the disclosure of credentials, privacy violations and breaches of compliance, organisations need to consider what impact inadequate app security could have on their data protection obligations. Insecure mobile apps can leak device information and expose it to third parties, or they can store or transmit sensitive information unencrypted or in another insecure manner, in turn making a compromise more likely.”
Romain added: “It’s paramount CIOs take heed of the growth in consumer market technologies within the enterprise and recognise that this trend will continue to evolve. Organisations should plan ahead and fully address the governance and security aspects surrounding devices, apps and software.”
Evidence of widespread hacking
According to a recent report compiled by Arxan Technologies, 97% of the Top 100 paid Android apps and 87% of the Top 100 paid Apple iOS apps have been hacked.
That same report also highlights evidence of the widespread hacking of financial services, healthcare/medical and retail/merchant apps largely driven by hacks of Android apps.
When it comes to protecting a company’s data confidentiality, integrity and availability, in addition to its resources and reputation, Espion highly recommends full consideration around ten key areas. These are as follows:
(1) Monitor your network to keep track of what Shadow IT is lurking in your systems
By continuously scanning and monitoring your network you will be able to identify Shadow IT and keep track of what’s going on.
To identify the cloud services being used outside of IT’s scope, you can process log data from your firewalls, proxies, SIEMS and Mobile Device Management products.
(2) Quantify the risks by knowing who has access to your corporate data
A key concern should be corporate data access and data confidentiality issues.
By identifying and understanding what data you’re processing, transmitting and storing you can then classify data into categories such as Confidential, Internal Organisational Use Only and Public, etc. This will help you to ensure the right levels of controls are used to protect the data.
(3) What’s the policy?
Consider having an ‘Acceptable Use Policy’ that states what apps, software and devices may be used in the workplace, what part of the network they’re allowed to access and the security procedures and protocols to which they must adhere.
(4) Make use of available ‘intelligence’ resources to find out about these apps
Currently, there are exciting new trailblazing technologies that help enterprises determine the ‘trust’ level of apps with all-in-one App Risk Management services and global databases of analysed public and private apps.
Apps can then be blocked based on your own risk appetite and enterprise policies.
(5) Communicate the risks to stakeholders
Explain to colleagues that when they deploy Shadow IT the configuring and managing process (applying patches, authentication and access controls as well as security testing) falls outside of the organisation. That makes organisations and their reputation vulnerable.
It’s also important to be aware that using external (ie non-enterprise) versions of online file stores, for example, may result in the loss of access control over data given that applications that do not remain directly in the control of centralised IT functions are often overlooked as part of the leavers/termination procedures and processes.
Enforce the use of approved applications meeting enterprise standards. When and where necessary, restrict network access to any workers who fail to comply.
(6) Fear free apps
While workers may think they’re saving money by opting for free apps, these technologies generate revenue by sharing user data with third parties like ad networks which then impacts on overall app security and privacy.
If you’re not paying for the app you and your company data are the product.
(7) Seek solutions to secure these apps and clouds
When it comes to controlling the extended enterprise both simply and securely, find a solution that can streamline widescale deployments by securing or restricting apps on an automatic basis.
(8) Don’t overlook licencing agreements
Shadow software and apps challenge software asset management compliance. What would your organisation do if unapproved software spurred a compliance/regulatory audit with the risk of attendant fines?
(9) Work with employees to tackle the issue
Aim to work with employees to tackle this issue and have a clear dialogue with business stakeholders about their particular business challenges and requirements.
Ultimately, IT should be enabling the business to work better and smarter at a known level of risk which is accepted by the business.
Remember to build awareness around the hazards of Shadow IT into your company-wide security awareness and training programmes.
(10) Perform security testing on a regular basis
Evaluate device security and usage of apps on a periodic basis.
1Gigaom Research and CipherCloud Report (November 2014)