Network Security: Shadow IT Risk and Prevention

Contrary to many opinions discovered online, shadow IT (a.k.a. rogue or stealth IT) is not down to the IT team saying no or refusing to provide required productivity tools necessary for a specific job role. In truth, it is often down to restrictive budgets and senior management decisions on same. Speaking as an IT pro, we do not care what software users need and would happily supply it if the budget is available and the software need is indicated. WE are not responsible for users installing unauthorised software, using unapproved cloud services or adding their own hardware such as memory sticks and external drives to company systems. BUT, as always, we are expected to assume the responsibility and the blame for such practices.

What are the risks of Shadow IT? How can they be reduced?

As Przemysław Jarmużek, systems administrator & support expert at SMSEagle was quick to point out: “The level of risk will depend on the type of Shadow IT and the motives of the user involved” with common dangers including but not limited to the following:

BYOD

The rise of BYOD in the workplace has tied IT’s hands in cases where IT do not have control of the device. Device owners are free to install whatever they wish on their own device and rightly so. In an ideal world, the device would use mobile device management (MDM) to segregate work and personal use by using a virtual partition. This work ‘partition’ could be managed remotely and the partition could be erased or deleted if the device is lost or stolen or if the employee leaves the company.

Consumerisation of Software

Anyone with a credit card can purchase a cloud service or online subscription to a wide array of software and collaboration tools. Many are free and only need an internet browser to access. This is an obvious problem when trying to control the flow of company data, making it almost impossible to track the impact of a data breach. These unauthorised activities could also have an impact on compliance requirements, especially in relation to data protection and requirements for storage of personally identifiable information (PII). The risk of intellectual property loss also increases if third party service providers are breached by hackers.

Licensing

Users installing licensed software from home is also a danger. Note that this activity is sometime used by malicious employees seeking financial gain. They install illegal software on company systems and then send a ‘tip’ to organisations responsible for copyright theft to obtain a percentage of the high financial penalties levied. This point is demonstrated accurately in a TechCrunch article: Software piracy claims can ruin your business and reward those responsible. An old article but all the points raised are still valid today.

Productivity Aims

Many users install or use unauthorised software and tools to improve productivity and lack any malicious intent. They are just unaware of the possible dangers of installing freeware and paid solutions that are not approved or monitored by IT.

Preventing Shadow IT

Radosław Janowski, product manager at SMSEagle said that “IT cannot be expected to have psychic powers and each department head should provide a list of software and tools that they need to fulfil their roles in a productive manner. This will allow IT to supply it and eliminate the requirement for Shadow IT.”

An excellent point. Tell the IT team that you can’t do your job effectively without software X and tool Y. We will listen and respond with updates.

In fact, there are several ways to reduce shadow IT while enforcing the fact that IT are responsible for security on company equipment and on BYOD devices when the owner has signed an agreement allowing remote administration.

  • Admin Access – There is no reason for users outside the IT team to have the ability to install programs. Any and all programs should be installed and managed by IT.
  • Network Inventory Management – IT will regularly monitor hardware and software assets on the network, automatically detecting any additions and reacting accordingly based on potential risk. There are many tools available to accomplish this task and some will aid security patch and update management.
  • Network and port monitoring – to prevent access to unauthorised cloud services.
  • IT will provide a software repository for all approved software and tools. If additions are required by a user or department, it is formally requested.
  • IT will foster an environment of security awareness to include the potential dangers of Shadow IT and ensure that there is an onboarding process for new employees.

However, without senior management support, none of the above will work. Available budgets and claims of IT interfering in all departments no longer hold weight as IT is needed in all departments. IT are responsible for security and if identified security risks are not acted on, then future problems that result from inactivity cannot be blamed on IT. When you consider that a recent Forbes Insights report finds that more than one in five organizations have experienced a cyber event due to an unsanctioned IT resource, is it worth checking if shadow IT is a potential risk in your business? I think so.

Bring Your Own Device (BYOD) — Security And Other Considerations For Stakeholders

Today’s employees are always connected, thanks to ubiquitous broadband and a wide range of portable devices, from smartphones, tablets and laptops to fitness trackers and a plethora of smart devices such as watches, cameras and GPS navigators. How necessary is this level of connection?

Cinemas and restaurants are no longer peaceful, with beeps, chimes, vibrations and other alerts notifying everyone in the vicinity that something else (generally of a trivial nature) has occurred in your vast network of contacts. It makes sense that social addicts want to spread this contagion to the workplace since not being connected can produce a sense of withdrawal not unlike that of those coming off hard drugs. We need someone to like that oh-so-interesting photo of last night’s chicken chow mein. We need someone to know how we feel at work… Or do we?

BYOD Motivated By Cost Savings?

Let’s look at the motives behind BYOD adoption for companies and device users. Visitors to your home quickly request access to your Wi-Fi as most are tied to a set data plan by their mobile carrier, with a monthly cap and corresponding rate per gigabyte of usage. Using Wi-Fi, device users can access broadband Internet and reduce data usage over 3G, 4G or 5G. Therefore, we can safely conclude that users want BYOD to save money on data charges by connecting to the company Wi-Fi.

Employers also want to save money, of course and by allowing employees to use their own devices, do not have to issue company-owned devices. Since it is likely that personal devices are of a higher spec than those purchased for business use, there are also possible productivity benefits.

In an ideal world, the story ends there, everyone involved saves money and lives happily ever after. Unfortunately, there are drawbacks for both parties, ultimately caused by data, user and device management requirements.

Can any company afford to provide Wi-Fi access without considering potential security risks to the network and the data residing on it? No, as every jurisdiction is likely to have regulations and mandatory requirements relating to data security, personally identifiable information (PII) or indeed e-discovery. Therefore, any cost savings in allowing BYOD are likely cancelled out by the management of BYOD devices.

Practical BYOD Issues

As a former network administrator, I appreciate the additional workload a BYOD program can place on the IT team (the team blamed when the network is breached or data is lost).

The problems with BYOD from a security perspective include but are not limited to:

  1. Permission management–to ensure secure access (by user, device or network credentials), a solution aimed at mobile device management (MDM) is best.
  2. Device Management–companies need to decide on the device types and manufacturers they will allow on the network. Additional requirements could relate to the device OS revision/version involved. To allow all mobile device access is a mistake as cheaper brands could use an earlier OS version with known vulnerabilities or apps that can exploit network connections.
  3. Security updates–if the device owner does not encrypt the device or install security updates then it is a weak point on your network.
  4. Viruses, malware and other threats–again, virus scanners and other security tools must have the latest updates to protect the device and, in turn, the company network.
  5. Employee exit procedures–When the owner of a BYOD device leaves the company, the device must be cleaned to remove company data in a secure manner. This can require admin access to the device, a problem for many device owners, who do not like being ‘spied on’.
  6. Lost or stolen devices–If a BYOD device is lost or stolen, there is a potential data loss/breach involved. For this reason, the remote wipe is a useful admin feature. Unfortunately, such control is often a problem for device owners (see (5)).

For employers considering BYOD, device admin is typically the single thorny issue. If a user does not want the company to administer the device (and I wouldn’t) then the company should not allow the device to connect to company Wi-Fi. End of story. If the same employee needs a company device for travel or remote work, then issue a company-owned device as the company can administer it as they desire.

In conclusion, I believe that constant connectivity is not needed, unless you are a volunteer firefighter or an on-call medical professional. For family emergencies, SMS is still an effective way to receive an urgent message. After all, employees can still use their mobile carriers for internet access if needed at work. From a company perspective, is it easier to only allow company-issues devices access to the network? It varies from company to company, but for the most part, when full administration of employee-owned devices is necessary, the resulting admin and security risks may not be worth it. There are also HR (if an employee uses the device on work tasks outside working hours, expect to compensate that employee) and legal considerations (under e-discovery, mobile devices are included, and data loss can result in substantial fines) in some jurisdictions. I recommend you identify all potential risks before embarking on a BYOD strategy. What do you think? Is the use of personal devices an issue in your company?