As “Bring Your Own Device” (BYOD) continues to take centre stage in the IT landscape, less attention has been given to the rise of another tech trend known as “Shadow IT” or “Bring Your Own Collaboration (BYOC).
Whilst BYOD has been seen by many as a largely positive trend, BYOC represents a huge threat and has significant security implications as it results in confidential company data leaving systems and networks controlled by the company’s IT dept, leaving it open to loss or theft.
In May 2014, Dropbox came under fire when it transpired that there was a vulnerability in the service’s “security through obscurity approach” to private file sharing. This vulnerability occured when users shared files via private links, which were then subsequently inserted into the search box of their browsers rather than the URL box. The result was that these “searches” were logged and able to be accessed by third parties. Whilst this vulnerability was only evident if users entered private file links into a browser’s search box in error, it did highlight a flaw in the service’s approach of creating security through the generation of obscure links. The flaw was just one of 2014’s many examples of how a company’s confidential data could be left at risk should appropriate security settings not be selected.
The modern workplace no longer consists of a single office site or even multiple office sites as employees are becoming more mobile, dividing time between multiple office locations, their homes and public places such as cafes and libraries. This growing mobility in the workplace has led to an increased need to access files on the go and consequently, the BYOC trend becoming more prevalent. Whilst BYOC can potentially make employees’ lives easier in the short term, it comes with a raft of data security problems for IT managers as the consumer file sharing and collaboration services being used lack several security features of their enterprise counterparts. They do not have corporate Service Level Agreements (SLAs), corporate terms of use and their positions regarding data privacy are seldom stated clearly.
Once data has been transferred to a consumer file storage or collaboration service, it has left the boundaries of the corporate network, can no longer be managed centrally and should an employee leave an organisation, their access to this data or ability to take it with them to a new employer cannot be revoked.
Dropbox isn’t the only consumer file sharing software that has found itself receiving negative press. Apple was infamously under scrutiny back in August 2014 when private images of over 100 female celebrities were leaked online. It was originally thought that hackers had found an exploit in its iCloud service that allowed them to brute force their way into the celebrities’ iCloud accounts. It later emerged that the hackers had employed a targeted phishing scam in order to retrieve the celebrities’ passwords.
Similarly, Microsoft’s OneDrive experienced a major service outage in November 2014, which led to users being unable to access their cloud-based files. Whilst this outage only lasted a couple of days, many users were clueless as to what had caused the outage and whether their data would be intact when normal service resumed. These incidents bring to light the risk of relying on predominantly consumer focused services from both a security and reliability perspective.
There are a number of steps that businesses can take in order to ensure that their employees remain compliant whilst being able to benefit from remote and collaborative software.
Understand why consumer technology is being used
As a business owner, the first step to facilitating secure remote and collaborative working is to recognise why employees use these consumer cloud technologies. Many staff use these services as a way to drive productivity and asking them what particular functions they find most useful will allow companies to determine what their current infrastructure might be lacking.
Educate staff of the risks
Once you have started to understand why certain technologies are being used, businesses can start to work towards educating their staff on the risks associated with them.
When technologies such as iCloud are used in the workplace, employees tend to be unaware of the security risks. Whilst their intentions are often good, educating staff is an essential step in ensuring the potential threats are understood.
Employ the right technologies
After businesses understand why certain technologies are used within the workplace and have communicated the security risks to their employees, the next step is to look at their current infrastructure and available technologies to uncover how they might be able to deliver the functionality employees require whilst remaining safe and compliant.
For many businesses, enterprise-grade remote working and collaboration is becoming an essential. By properly integrating these collaboration technologies into the workplace, organisations are able to ensure that all employees are using the same technology and that allows administrators to properly and effectively manage confidential data.
These professional services also offer considerably more security and privacy than their consumer counterparts such as two-factor authentication, integration with Active Directory and assurances regarding encryption and data sovereignty.
Following the introduction of this type of technology into the workplace, companies can feel more confident that their staff are working productively whilst adhering to the acceptable usage policy. For the end user, the benefits over a consumer service are perhaps less obvious. Whilst the functionality they receive will be almost identical to using consumer services, they will have a much safer and more secure collaboration tool.
By Chris Sigley, General Manager of Redstor