Rogue Users and Shadow IT

rr60According to mobile document vendor, harmon.ie, the winner of their contest on “Rogue IT” horror stories was an unnamed Macbook owner who, frustrated by the absence of wi-fi in his company, decided to “solve” the problem by bringing in his own wireless router. It was one of those routers that didn’t require any configuration of wireless, or even security settings.

Everything seemed good at first, but a few days later he noticed that his Internet connection was now slower than usual. At first he thought it was just a temporary ISP glitch, but when it didn’t improve, a security consultant was called in to investigate.

The consultant found that a hacker had attached himself to the local network and had grabbed all of the wireless traffic from the wireless router. This included all the internal passwords to the company’s accounting and file server, and these were being sent to a server in Asia. The hacker was efficient and left no trail, so there was no way to know what was taken and/or used.

Needless to say, this caused a great deal of work for the company changing passwords and installing better security systems and policies.

Of course this is a more extreme, and some would say idiotic, example. However, a search across the web reveals many horror stories of the chaos that can ensue when users “go rogue”.

What Does it Mean for a User to go Rogue, and What is “Shadow IT”?

Wikipedia defines it thus:

“Shadow IT is a term often used to describe information-technology systems and solutions built and used inside organizations without explicit organizational approval. It is also used, along with the term “Stealth IT”, to describe solutions specified and deployed by departments other than the IT department.”

Users “going rogue” often refers to users who are used to a piece of software and who don’t find it on the company servers, and who then install it on their own desktops, but they don’t tell the IT Manager.

So, when the network gets infected, the IT Manager is unaware that he has “rogue” users, so he can end up wasting time looking in the wrong places for his attempted solutions.

hackerkbdAnother problem with rogue IT, as it’s also sometimes called, is that these days it’s so easy for users to download and install insecure programs and apps on their local systems, often completely unaware of the potential consequences.

To put this in perspective, according to a survey conducted by United Sample in 2013 with 500 businesses, such rogue behavior by users costs companies an estimated $2 billion a year to clean up. The same survey revealed that 27% of workers who went rogue reported immediate and dire consequences, including sharing valuable information with competitors, and even lawsuits that resulted in financial penalties.

In a recent survey by Spiceworks, 78% of IT Managers said their end users have gone behind their back more than once to set up unapproved cloud services, putting their organization’s data more at risk.

Here are some common examples of rogue IT:

  • Using cloud storage, like DropBox, GoogleDrive, OneDrive or Box, to remotely access and transfer data between personal and company devices.
  • Installing Skype or other forms of VoIP software for communications between other staff and clients.
  • Using or creating productivity and workflow processes separate from the corporate network, often using cloud-based applications such as online project managers, or notebook programs like Evernote.
  • Connecting physical devices, such as USB sticks or external hard drives, directly to the corporate network, and then using these to transfer sensitive or confidential information.
  • Downloading instant messaging applications, like Yahoo Messenger or WhatsApp, onto corporate smartphones and tablets.
  • Downloading and accessing social media applications. Facebook, Skype and Twitter are on top of the list of sites containing the most malware, according to Internet security company, Zscaler. Users often click on or unwittingly download malicious applications without realizing they have put themselves and their organizations in danger.
  • Developing, using and sharing self-developed Excel spreadsheets and macros, or using Google Docs or Microsoft Office 365.

What Can You do to Minimize Rogue or Shadow IT?

Now that many company staff rely so heavily on their smartphones, and on cloud apps that give them access to company systems and data from anywhere at any time, such employees often no longer feel a need to go through IT “middlemen” for certain activities. They want access to their preferred tools that they’re used to and are facile in, and they want it all the time.

frustrated-60One reason that employees circumvent company policies is often because the apps and solutions they’re being asked to use are too complex or too time-consuming to use, and they feel they can get their job done faster and more easily using the tools they are used to. If an organization does not provide secure alternatives that are as simple to use as those that users can easily find online, its IT staff may be at serious risk of rogue IT.

Shadow IT was a constant problem for close to ten years at the University of Michigan in Ann Arbor, per Tim Rolston, a former IT director there. Most users there deployed shadow IT systems to fill a need that official IT systems had not addressed. Rolston calls such shadow IT systems “gap solutions”. “When you identify a successful gap solution running in your environment, embrace it, fund it and absorb it into your service catalog if it provides sufficient value”, Rolston said.

Our recommendation? Do a survey of your users to find out what non-approved applications they are using and create or set up company-sanctioned secure alternatives that are accessible via your servers.

Set things up so that you can get detailed visibility of the applications that are being used and how they are used. This will give you the ability to know what functions you need to supply to your users. It will also enable you to define the key needed policies, and to block insecure and actually unnecessary applications, while controlling the access and usage of the ones that are critical to your business.

You have to determine and implement a good balance between limiting access to prevent the risk of data exposure and other potential attacks, while not disrupting your core business activities.

Other Factors That Foster Shadow IT

Some other factors that can contribute to encouraging rogue or shadow IT are complex IT policies and outdated software. This is often not a trivial problem to handle. An easy potential solution would be to make your IT policies simple to understand and apply. A not-always-easy solution is to convince those who hold the organization’s “purse strings” to allow you to keep your devices and software up-to-date.

Here’s another recommendation: Don’t pretend that shadow IT doesn’t exist. Openly acknowledge its presence in your company and also openly communicate with employees about how you will be responding to their needs, and provide a reasonable time for the switches to IT-approved alternatives.

If you don’t focus on and prioritize end-user experience, shadow IT will incubate.

There are certain tools where it would be hard to build a better internal version. An example is cloud-based file sharing applications such as the ones mentioned above. When large files are involved, e-mail just won’t cut it. A solution is to utilize the corporate version of such tools and to ensure that users don’t connect them to their personal versions of these tools.

Summary

Shadow or rogue IT can cost companies greatly.

IT Managers should find out what shadow IT services their users are using, how and why they’re using them and determine which have to be removed, which can be used with suitable security safeguards, and which can be replaced with IT-provided services.

IT-provided services should ideally be just as good or better than what employees can obtain on their own from outside services. (Okay, yeah this is often easier said than done; but for any big goal to happen, you have to first state it.)

The key is to find ways to utilize tools like these in ways that don’t in any way compromise corporate security. Keeping up to date with next generation security capabilities to identify, track and manage cloud-based applications is vital in such a scenario.

Clever Tip: As an additional note, a single sign-on to all applications (especially web and cloud apps) can be a secret weapon to winning back employees from the dark side, as it makes their lives much easier.

Sources:

http://www.informationweek.com/strategic-cio/it-strategy/shadow-it-8-ways-to-cope/d/d-id/1319535

https://www.skyhighnetworks.com/cloud-security-university/what-is-shadow-it/

http://www.cio.com/article/2968281/cio-role/cios-vastly-underestimate-extent-of-shadow-it.html

http://www.securityinnovationeurope.com/blog/is-shadow-it-a-threat-to-your-organisation

http://www.information-age.com/20-riskiest-shadow-it-applications-and-how-manage-them-123460837/

https://www.zscaler.com/

http://www.zdnet.com/article/rogue-it-sad-truths-and-unfortunate-stories/

https://harmon.ie/blog/harmonie-rogue-it-horror-contest-stories

https://harmon.ie/sites/default/files/images/docs/RogueITReport.pdf

http://searchcloudcomputing.techtarget.com/tip/Build-a-shadow-IT-strategy-all-departments-will-love.

Photo credits:

Hacker photo: Morguefile.com/davidpwhelan.

Keyboard photo: FreeImages.com/Nikolaus Wogen.

Frustrated user photo: FreeImages.com/Rajesh Sundaram.

 

By | November 29th, 2016|Blog|