This week, The New York Times reported that former Secretary of State Hillary Clinton used personal email accounts to conduct official State business during her four years as Secretary of State, potentially violating federal record retention regulations for official correspondence.
This revelation should have public and private sector IT pros questioning their policies and practice around shadow IT – those programs outside of the formal control of the information technology department.
The Times wrote: “Her expansive use of the private account was alarming to current and former National Archives and Records Administration officials and government watchdogs, who called it a serious breach.”
Surely, The State Department had an enterprise-grade email solution in place in 2013. We can only hope that Clinton protected her personal accounts with something more sophisticated than “Chelsea1980”.
IT has an important job, and keeping tabs on the personal email accounts of executives or high-ranking officials should be the least of their worries. However, with 783 reported data breaches in 2014, according to The Identity Theft Resources Center, shadow IT is a strategic IT issue that is too important to ignore.
The topic raises an important issue around policy and practice of shadow IT, individual or departmental use of consumer-grade applications, such as personal email accounts, and cloud storage, departmental (or individual) SaaS accounts, even employee social media activity. All fall within this category in an age where the lines between work life and personal life are increasingly blurred.
While there may be individual, departmental or even organisational benefits to some elements of shadow IT, there are both operational and security risks associated with it and professionals’ use of consumer grade tools for email, cloud storage and other services. CIOs and IT leaders need to be vigilant in developing, instituting and enforcing corporate IT governance policies and procedures.
52% of IT executives said they don’t have processes in place to manage outside sources, such as Dropbox in Vision Solutions’ 2015 State of Resilience Report. Meanwhile, 70% of employees that use Dropbox do so solely for work, according to a 2013 Forrester report, and shadow IT appeared as a concern for the first time in the 2015 SIM IT Trends Study.
Shadow IT can cloud everything
In Morgan Freeman’s Through the Wormhole, he speaks about the specter of a “shadow universe”.
“We live in a universe filled with light…At least that’s what it looks like…But scientists are now certain there is far more matter in this universe than we can see. We know this dark matter must exist, because we can detect the pull of its gravity,” Freeman wrote. According to scientists, dark matter is pulling stars off their expected courses, and the ramifications for unsuspecting galaxies and planets can be great.
Similarly, shadow IT cannot only pull the IT organisation off-course, but the entire enterprise. Gartner reported in its 2015 CIO Agenda that shadow IT consumes as much as 20% of a company’s IT resources and, for the first time, respondents to the SIM IT Trends Study included shadow IT among their list of management concerns.
So what happens when Dropbox experiences downtime, as it did in January of last year? How do businesses react? What happens to the customer data, financial data or important documents they stored there?
When nearly two-thirds of organisations using the cloud reported not having HA or DR solutions for their enterprise applications, according to Vision Solutions, you can imagine how low the number must be for companies actively able to recover from, or are even monitoring, employee activity in the cloud.
The small matter of security
Former FBI Director Robert Mueller said in 2012, “There are only two types of companies: those that have been hacked and those that will be.”
What kind of security risks does shadow IT create for your organisation? What happens when an employee uses the same password for both personal and enterprise accounts and hackers target that person’s personal account?
Their low-security Google Drive password just created a big headache for your organisation.
You may not face a public records request that brings the specter of shadow IT in your organisation to light, but publicly traded corporations have internal control requirements to consider and private companies are notoriously protective of their intellectual property and confidential information.
All it takes is one instance and your company can be front-page news – and not in a good way.
Sourced from Bob Dvorak, founder and president, KillerIT