Three shadow IT security challenges directly impacting mobile enterprises
Most IT professionals by now have come to terms, however begrudgingly, with the existence of “shadow IT” within their enterprises. They know employees are using mobile applications, personal cloud storage and work-related tools without informing the department. This creates a shadow IT security gap. However, CIOs may avoid cracking down because they realize employees are more productive when they use the tools of their choice. Even if IT banned unapproved applications, employees would keep using them anyway. Who’s going to tell the CEO she has to uninstall her favorite note-taking app because it’s not on the white list?
While unapproved tools may have a legitimate and useful role in the enterprise, it would be dangerous for CIOs and IT leaders to ignore the potential hazards of unauthorized mobile apps, devices and cloud services. Here are the three biggest risks associated with shadow IT:
1. Data Loss and Theft
Mobile employees are among the biggest users of shadow IT, in large part because it literally takes seconds to download, install and open a mobile app. From there, it’s easy for workers to access, share and store enterprise data using these tools, which may offer little or no data protection when an unauthorized user picks up the device. To make things worse, millions of mobile devices are stolen or lost every year, exposing data stored in poorly secured shadow apps. Corporate plans, intellectual property and customers’ personal and financial information can be residing on or accessible from a missing device.
A 2012 Symantec study, in which researchers intentionally lost 50 smartphones, concluded that “when a business-connected mobile device is lost, there is more than an 80 percent chance that an attempt will be made to breach corporate data and/or networks.” Enterprises need to be concerned about shadow IT security, especially when users store sensitive data in particularly vulnerable applications.
2. Malicious Applications
Shadow IT has been primarily fueled by the enterprise’s consumerization and the younger employees’ familiarity with digital technology. They are used to downloading whatever apps they want to meet their personal or professional needs. The real problem arises when mobile employees turn to third-party websites for apps. These sites, many of which are located in Asia and eastern Europe, are notorious for harboring malicious apps and malware. A worker downloading a third-party app could be unknowingly providing an entry point through which an attacker can steal valuable enterprise or customer data.
3. Regulatory Compliance
Even if mobile enterprise workers never lost their devices or downloaded apps from third-party sites, their use of shadow IT could still create regulatory problems for the enterprise. Compliance is especially important in the financial sector, where there are strict rules for handling sensitive data such as consumer banking information and Social Security numbers. Shadow apps that violate financial reporting compliance measures not only put customer data at risk, but also trigger costly audits, penalties and fines.
Shadow IT, to a great extent, is a product of BYOD policies and consumerization. Thus, it’s likely to be a permanent fixture in the working world. CIOs and other IT decision makers need to find a balance between letting employees choose their own productivity tools and securing enterprise data. The keys to accomplishing this are transparency, communication, education and clear usage policies.