IBM says: “Shadow IT is any software, hardware or IT resource used on an enterprise network without the IT department’s approval and often without IT’s knowledge or oversight.” And according to Randori’s State of Attack Surface Management 2022 report, nearly 7 in 10 organisations have been compromised by shadow IT in the past year. Full details here: https://www.ibm.com/topics/shadow-it#:~:text=Sharing%20work%20files%20on%20a,malicious%20assets%20planted%20by%20hackers.
Shadow IT is the insidious, creeping, adoption of unauthorised applications (or unauthorised devices), often as short cuts, to get the job done, such as the use of consumer apps for business communications. For example, sending a message to a colleague to arrange the logistics for a stop at a coffee shop before a meeting. This sounds so innocent, yet can be the thin end of the wedge, as the app gradually becomes a ‘de facto’ key application across the organisation and is used for more sensitive corporate scenarios. The habit is formed, it spreads across the enterprise and people are using these consumer apps to discuss business, putting sensitive corporate data at risk. Here’s how.
How do you separate business and personal data?
If your employees are using their own phones (i.e. BYOD) to send and receive work-related information, it begs the question, who owns those messages?
If it’s work data, then the business owns it, even if it’s held on a personally owned device. But while the business owns it, they don’t control it. This is an important point because what happens if the data is forwarded to an unauthorised third party? Could there be GDPR issues? What if the data is misused, causing embarrassment to the business, or harming reputation? Were the WhatsApp messages that ex-Minister Matt Hancock shared with a hostile journalist really his to share? They were on his phone, but discussed matters of state, and involved colleagues. Our previous blog gives the details of this sorry episode, and the very serious risk that the use of such apps pose to corporate data. https://www.armourcomms.com/2023/03/20/the-hancock-saga-exactly-how-not-to-manage-sensitive-information/
How do you leverage BYOD safely?
BYOD devices provide benefits to both employee and organisation. No one really wants to carry two phones around, so using personal devices is great for the employee. However, while utilising the tech that staff already have is a siren call for managers looking to make the most of IT budgets, it does bring with it a range of risks, of which managing data on a device that the organisation doesn’t own is key. Mitigating the risk to corporate data could be done with any number of mobile device management solutions, but people are extremely resistant to having their personal property controlled in this manner. The trick is to securely separate work data from home data.
How do you combat the risk of consumer apps in business?
Providing a separate app for all business communications puts you back in control of your data while enabling the use of BYOD devices.
A separate app for business communications means that all work data is ring-fenced in a secure platform. It avoids data, photos/images, and documents being leaked to other non-managed applications on the phone. Ideally, it also provides a secure audit facility, meaning that a copy of all communications and associated files are saved and can be reviewed later, subject to the appropriate security processes (crucial in regulated industries). This audit feature needs to work even if the original messages have been deleted from the user’s device (whether through normal use or in an attempt to hide misuse), something that simply can’t be achieved with a consumer app.
Keeping control of data
With a built for purpose, secure by design communications solution, the organisation can retain control of its messages/communications data, even after sending. Features like Message Burn mean that a message can be set to delete after a set amount of time, either after it has been sent, or after it has been read. This feature should be configurable by the individual sender, or by central administration as part of a group security policy. Furthermore, central administration features should be able to ensure t all messages can be deleted from devices after a set time, say 30 days.
Central administration and a controlled environment also mean that only invited people can join the collaboration/communications group. This significantly reduces the risk from phishing and deep fake scams because people always know who they are communicating with. Only authorised users can access the app, making it much more difficult to spoof an identity.
Secure communications apps such as Armour Mobile are every bit as easy and intuitive for end users, providing a very similar experience to using consumer-grade apps. Not only does using a specific application for business purposes keep your enterprise data under your control, it also fosters a more security-conscious approach to safeguarding data throughout your organisation, and it helps to mitigate one of the biggest risks of shadow IT within the enterprise – the use of consumer apps for business.
For more information about how Armour Comms can help your organisation combat the creep of shadow IT and keep control of business data, even on BYOD devices, contact us today.