THE DANGERS OF SHADOW IT
May 1, 2019
With the focus on security one would think that Shadow IT would be an easy target to eliminate as a threat to the organization, and yet according to a recent industry study the average enterprise is unwittingly exposed to thousands of shadow IT ‘instances’.
Broadly speaking Shadow IT is about devices and applications.
Devices include the traditional desktop, but it’s the recent proliferation of mobile devices such as smart phones that are more difficult to manage. Then there are rogue network switches, IoT devices, physical access security and other ‘management services’.
Given the maturity of mobile device management and security solutions, there is no excuse for an organization to allow Shadow IT devices to exist but managing shadow IT applications can be a challenge.
Why is managing shadow IT applications a challenge?
Well firstly there is the human element. Most of today’s workforce are used to using cloud applications such Dropbox personally and often use these applications at work for either personal reasons or worse still, to fill a business requirement.
Some Shadow IT applications are genuinely required by a department with unique needs.
For example, the marketing department may need Adobe Creative Suite, or a business planner may need a brainstorming tool such as Mindjet MindManager. These are exceptions and generally do not pose a significant risk to the business.
What creates significant risk is sharing files outside the protected environment of the organization.
Individuals that use cloud services such as Dropbox personally often use their own account to share files with external parties. In other instances, where there is a need to regularly update information with an external partner, an open source FTP service may be deployed.
So, what are the risks associated with this type of shadow IT?
Firstly, there is data loss. A disgruntled salesperson could copy valuable customer data to help him compete against the organisation at his next employer. An engineer could “acquire” valuable intellectual property to sell or perhaps re-use at a competitor.
Secondly, there’s reputational risk. Information may be accidently shared with a third party or exposed on unsecured devices where bad actors can gain access. In these instances, companies are often required to disclose the breach, even if data was subsequently secured.
Thirdly, there is a financial cost. Apart from the potential impact on revenue from data loss, or the resources required to rectify a security breach, there are compliance regulations such as GDPR that may impose a fine for inadequately protecting personal data.
Lastly, there is an operational cost. Home grown FTP solutions are normally un-documented, poorly maintained and 100% reliant on the competency and continued employment of the individual who created them.
Given the risk inherent in these home-grown, cobbled together solutions it’s amazing that companies continue down this path, especially when a Secure FTP solution such as DataExpress addresses most of the risks.
Stepping back for a moment we should mention that The DataExpress Secure FTP solution started off as a Tandem (now HPE) NonStop solution before being ported to open systems, so it’s no surprise that the offering is designed for high availability and security.
So how does DataExpress address these challenges?
DataExpress’ core function is to add management to the file transfer process. For instance, targets can be pre-defined to minimize accidentally sharing data with the wrong external partner, and encryption can be enforced to eliminate the risk of errant transfers.
In addition, the process is automated, and the event is captured in an audit trail to help ensure adherence to regulatory statutes such as PCI, GDPR, Sarbanes-Oxley, etc. Even where ad-hoc transfers are required, the security features within DataExpress can be fully employed.
So, with risk and cost reduced if not eliminated, what are the other benefits?
Standardizing on a secure managed FTP solution like DataExpress removes the operational risks as it’s a fully supported and maintained service. So much so that users perceive and consume the service in the same way as they would use a cloud service.
Eliminating data loss, reducing risk, meeting compliance regulation and operational efficiency are all CIO concerns, and organizations may reduce the resource overhead of shadow IT as well making it a win-win proposal.