You probably have a Shadow IT problem.
I’m not picking on you. According to statistics from Microsoft, Shadow IT is alive and well at most organizations:
This brief checklist is designed to help you identify four “perfect storm” factors that contribute to the use of unsanctioned IT services.
Why is this so important? Shadow IT leads to 33% of all cyber-attacks.
When a premise-based server is located in your office, where it functions as the official home base for corporate storage and file sharing, connection difficulties are inevitable.
Access may be relatively smooth for in-office employees logging into the local area network. However, employees located elsewhere will have to negotiate a VPN.
“Reliable” and “VPN” aren’t typically mentioned in the same sentence.
It doesn’t take long for this segment of your team to pursue alternate paths when they can’t get in. Common “off the reservation” vehicles include Yahoo Mail, Gmail, and DropBox.
For instance, an employee who is about to head home (and anticipates the VPN will be glitchy) may upload a sensitive Word document to their personal DropBox account to work on it later on their home computer.
And not get frustrated (for the tenth time) unsuccessfully attempting to log into the server back at the office.
Others in a similar position may email a document to their Yahoo account, download it to their home computer shortly thereafter, work on it throughout the evening, then send it back to their corporate email account (and work computer) to finish a few details the following day.
Why do both of these examples present a problem? Yahoo Mail and DropBox are significantly easier to breach than private, encrypted services. Once infiltrated, threat actors gain easy access to your server and everything else connected to it.
Learn More: Biggest Data Breaches Updated for 2021
Phishing emails are like rats. If you see a few, several dozen more rodents are hiding in the nooks and crannies, ready to rummage around the kitchen as soon as you hit the sack.
And if you have a steady stream of phishing emails, chances are some of your employees have already taken the bait (clicked on links, downloaded PDFs, or responded).
Now you probably have malware that is difficult to detect if you don’t have the right tools. Malware is elusive, and its administrators are very patient, sometimes waiting more than a year before launching a digital assault.
Malware ultimately leads to ransomware attacks that include but are not limited to blocked access to IT systems, data loss, remediation expense, bitcoin extortion plots, lawsuits, bad PR, and skyrocketing insurance rates or denial of coverage.
Learn More: The High Cost of Ransomware
Software designed for servers does not work very well on mobile devices. The second users figure this out, they can easily hit the Apple or Android app store and find a suitable workaround. The same is true of websites – both reputable and disreputable.
Two issues arise here: your employees are conducting business on software that sits outside of your sovereign digital estate, and their devices and apps will be intermingling with your corporate network.
Your IT staff or MSP don’t have visibility, and the door is wide open for widespread malfeasance. For instance, when someone charges their iPhone via one of the USB ports on their office workstation, viruses and malware are instantly injected into your network.
The same risks apply to personally owned computers that live at home or travel back and forth.
Remote workers and their laptops and desktops operate over unsecured home and business WiFi networks (Starbucks, Panera Bread, etc.). All are wide open and a lot easier to use than the annoying (but safer) VPN we covered in the first section.
A few trouble spots emerge here. Many people store passwords on spreadsheets located on their desktops. Bank statements and medical records too. This data is easy to grab and parlay into an oasis of other private information, myriad password-protected accounts, networks, and financial rewards.
I would even caution against allowing salespeople to give their personal cellphone numbers to clients and prospects. This effectively removes your main number and company-issued DIDs from relationships and creates an onramp for clients and prospects to follow salespeople who may jump ship.
Personal numbers also evade call recording capabilities that capture valuable marketing data and provide granular training insights.
You may spend a few years trying to cultivate a new client, and they could end up working with someone on your team – after they join a competitor’s team. Ask anyone in commercial real estate or financial planning about this.
Learn More: The Largest App Related Data Breaches
Today’s workforce skews younger (largely under forty), and social media is richly woven into their lives.
Both LinkedIn and Facebook are powerful platforms for connecting with clients. However, personal accounts (versus corporate ones) can siphon off valuable data better groomed and preserved in company-approved silos.
Even corporate-owned social media accounts can pose problems. Integris had a client with a consultant who was trying to open service tickets through our Facebook page.
(She wasn’t a registered user and obviously had not attended our new client tech support kick-off meeting.)
Her inquiry was trivial in nature and easy to address once we shifted the conversation to the proper channels. Thank goodness she didn’t use Facebook to request help for a more pressing matter and simultaneously broadcast easy to exploit IT weaknesses.
For example, a worst-case scenario announcement to the largest social network in the world might go like this: “Our office has just been flooded. Everybody has to work from home. We need a lot of new computers, and we can’t reach the server.”
Opportunistic attackers (but I repeat myself) would have a field day with this information and pile on without hesitation amidst the chaos.
If you give your employees what they need, train them, and enforce policies, they won’t have to improvise. A simple survey of IT needs is a step in the right direction.
But a technical solution is the most effective long-term strategy. Do you want to maximize the benefits of business-class IT: security, availability, performance, confidentiality, and compliance?
I recommend you explore Cloud App Security Broker (CASB) from Microsoft with the assistance of your IT provider.
They will help you understand the nuances as well as manage the application on your behalf.
CASB fulfills the following roles:
Learn More: What is Cloud App Security?
Technology has broken down the walls between the office and home, with more than 40 percent of employees in 2023 working in some hybrid or fully remote arrangement, according to FORBES. Fortunately, SharePoint intranets are coming to the rescue with inexpensive,...
Creating a desktop shortcut to a Microsoft OneNote notebook or section can be a real productivity and organizational boost for users who frequently access specific notes or projects. A desktop shortcut enables instant access to important information, bypassing the...
Managing your IT operations is a big job, especially if you're a small or mid-sized company without the resources to hire a full internal IT staff. In these cases, most companies hire a managed IT service provider to fill the gaps. Yet, knowing who to hire and what...