Rethinking shadow IT in 2020
By Alastair Pooley, CIO, Snow Software
The development of cloud and “as-a-service” technologies have made it easier than ever for anyone within an organisation to both purchase and use preferred applications, often without intervention from their IT department. This can lead to an increase in so called “shadow IT” – technologies not provided officially by central IT functions – and the additional challenge that such tech can bring via security and operational risks.
For example, readers will be familiar with the 2018 SingHealth breach where personal data belonging to 1.5 million patients in Singapore was compromised. The root cause of this breach was a server under the care of inexperienced staff who had a limited understanding of IT and security.
Businesses seeking to reduce the risks which stem from shadow IT should seek to educate employees on the threat their behaviour can pose to security. An open dialogue between all employees and the IT team will enable the IT function to better understand what applications employees regularly use and to detect unauthorised and unsecured software. This in turn allows the implementation of active controls.
To do this effectively, IT teams must feel empowered by business leaders to drive balance with a more digitally-savvy workforce, whilst also safeguarding business needs.
A clear picture of the business IT landscape
IT is usually responsible for the security of the organisation, yet with other business units purchasing IT services, it is becoming harder than ever to manage. Given this, it is critical that IT has the tools which can provide visibility of their technology landscape. IT should also ensure that partners are contractually obliged to promptly disclose breaches so that if they happen, the IT team can work swiftly to respond.
An example which demonstrates the need for strong processes would be the 2019 Singapore Ministry of Defence (MINDEF) breach when two of its vendors were affected by malware. This led to many members of the Singapore Armed Forces (SAF) personal data being compromised.
Any solution needs to be able to track both browser-based access of SaaS applications along with the applications installed on every computer and server within the organisation. Once this insight can be achieved, usage and versions can be tracked allowing anomalies or vulnerable versions of software to be identified.
Empower employees
Beyond mere technical controls, it is also important to communicate with all employees and educate them on the risks their behaviour can expose the company to. Snow Software’s research found that almost half of all APAC employees have used unofficial software at work. The same proportion have also accessed work documents on personal computers.
By running a security awareness programme, organisations can use different channels to help employees make the right decisions. Competitions for spotting phishing attempts, cybersecurity publicity material, using screen savers and meeting room screens to publicise advice to employees can all be useful. A multi-channel approach is key to ensuring your message is heard.
IT processes
The need for multiple and ever-changing passwords can be eased by providing single signon (SSO) for multiple, centrally-provided and approved applications.
The IT team also needs to implement processes such as a robust joiners, movers and leavers (JML) process to ensure that all staff have the access rights that they need when they join the business. Automation tools exist which can help with this and then provide the advantage of strong offboarding ensuring all access is removed when an employee leaves the business.
The days when IT was the only department making decisions about software have gone. Technology is now at the heart of many functions within any mature business. Finding ways of making the wider workforce, who may have competing priorities to the IT team, work with you to ensure that security is not compromised is a new challenge for an IT professional. But it is a vital one to address if both productivity needs and security challenges are both to be met.
The development of cloud and “as-a-service” technologies have made it easier than ever for anyone within an organisation to both purchase and use preferred applications, often without intervention from their IT department. This can lead to an increase in so called “shadow IT” – technologies not provided officially by central IT functions – and the additional challenge that such tech can bring via security and operational risks.
For example, readers will be familiar with the 2018 SingHealth breach where personal data belonging to 1.5 million patients in Singapore was compromised. The root cause of this breach was a server under the care of inexperienced staff who had a limited understanding of IT and security.
Businesses seeking to reduce the risks which stem from shadow IT should seek to educate employees on the threat their behaviour can pose to security. An open dialogue between all employees and the IT team will enable the IT function to better understand what applications employees regularly use and to detect unauthorised and unsecured software. This in turn allows the implementation of active controls.
To do this effectively, IT teams must feel empowered by business leaders to drive balance with a more digitally-savvy workforce, whilst also safeguarding business needs.
A clear picture of the business IT landscape
IT is usually responsible for the security of the organisation, yet with other business units purchasing IT services, it is becoming harder than ever to manage. Given this, it is critical that IT has the tools which can provide visibility of their technology landscape. IT should also ensure that partners are contractually obliged to promptly disclose breaches so that if they happen, the IT team can work swiftly to respond.
An example which demonstrates the need for strong processes would be the 2019 Singapore Ministry of Defence (MINDEF) breach when two of its vendors were affected by malware. This led to many members of the Singapore Armed Forces (SAF) personal data being compromised.
Any solution needs to be able to track both browser-based access of SaaS applications along with the applications installed on every computer and server within the organisation. Once this insight can be achieved, usage and versions can be tracked allowing anomalies or vulnerable versions of software to be identified.
Empower employees
Beyond mere technical controls, it is also important to communicate with all employees and educate them on the risks their behaviour can expose the company to. Snow Software’s research found that almost half of all APAC employees have used unofficial software at work. The same proportion have also accessed work documents on personal computers.
By running a security awareness programme, organisations can use different channels to help employees make the right decisions. Competitions for spotting phishing attempts, cybersecurity publicity material, using screen savers and meeting room screens to publicise advice to employees can all be useful. A multi-channel approach is key to ensuring your message is heard.
IT processes
The need for multiple and ever-changing passwords can be eased by providing single signon (SSO) for multiple, centrally-provided and approved applications.
The IT team also needs to implement processes such as a robust joiners, movers and leavers (JML) process to ensure that all staff have the access rights that they need when they join the business. Automation tools exist which can help with this and then provide the advantage of strong offboarding ensuring all access is removed when an employee leaves the business.
The days when IT was the only department making decisions about software have gone. Technology is now at the heart of many functions within any mature business. Finding ways of making the wider workforce, who may have competing priorities to the IT team, work with you to ensure that security is not compromised is a new challenge for an IT professional. But it is a vital one to address if both productivity needs and security challenges are both to be met.
Comments
Post a Comment