More than ever in the age of ransomware, malware, botnets, hacking, phishing, lost USB sticks, and many more threats, IT departments cannot afford to switch off for one moment when protecting the company’s data, intellectual property and workforce – its crown jewels.
It’s also worth noting that these threats do not all emanate from remote hackers in distant outposts around the world – it can also, inadvertently, come from your organisation’s own IT users. In the concept broadly defined as ‘shadow IT’, the main problem used to be when users accessed company data from their own devices without the requisite security in place.
A moving target
In the era of increasing proliferation of freely available cloud software solutions and personnel using their initiative to get the job done in an efficient and ‘on-the-go’ manner, the definition of shadow IT has broadened from just that of devices. Among the many definitions for shadow IT,, we felt a good one was “technology in the organisation that hasn’t been provided or passed through the company’s IT department”.
Unlike deliberate external hacks or rare cases of employee foul play, none of this user activity is malicious or deliberate; while on the one hand this is good, in some ways it makes the problem a bigger one for IT in that it’s difficult to keep track of this plethora of technology to ensure nothing falls through the cracks.
Although the cost to the organisation and the actual benefits to business and productivity are continually debated, the fact remains that there is a need to keep business data safe. Therefore the need for a robust and reliable IT security policy in your organisation simply can’t be overstated.
Striking the right balance
While every organisation is different, there are also commonalities to be found. One of these is the need to work with the broader business on a regular basis in order to understand the users’ requirements, concerns and frustrations with the tools at their disposal.
To put it another way, the issue of shadow IT can be approached in different ways. The extreme way is to lock down all unauthorised software applications and USB ports on users’ devices. While this seems favourable on one hand, it also risks at best alienating and demotivating the user base, and at worst inhibiting the company’s sales growth. Forbes put it another way; that it “may be better to embrace shadow IT and work with it, rather than shut it down”. Given that the Cloud Security Alliance estimate that some 92% of organisations recognise that at least some level of unauthorised cloud service purchasing takes place without IT’s knowledge.
IT’s About Time you secured your data
However it’s easy to talk about embracing shadow IT, and another to do so while keeping company data safe at the same time. Any IT strategy that embraces any form of shadow IT will require a strong emphasis on data protection, not only for protection of the company’s reputation and brand, but also to maintain compliance with regulations such as the GDPR.
At the same time, the more malicious threats that we mentioned previously are not showing any sign of going away, meaning that it’s not just data protection that’s required but proactive monitoring of your organisation’s networks and core systems as well. We don’t need to quote conflicting stats about the number of ransomware or phishing attacks as any search will show a continuous flow of data breaches and hacks, but we do appreciate that there is a challenge both in terms of finding the right technologies to ensure all bases are covered, and also in evaluating overlaps, gaps and redundancies – oh, and trying to fit all these technologies into your ever-decreasing IT budget.
What is the solution?
As you will undoubtedly have seen, there are an ever-increasing number of credible cyber security vendors and service providers offering all different angles and takes on the threat landscape. Cutting across these offerings can be an art form in itself, and one that can be hugely time consuming for an IT department focused on keeping the metaphoric lights on.
At PAV, our goal isn’t to tell you that you need this or that to plug a potential blind spot here or there in your security policy. Instead we’ll work with you to ensure that your brand and workforce are protected from the dangers associated with a breach, no matter how it’s caused or whether it’s an employee trying to do their job, or a malicious malware attack from the other side of the world.
In doing so, we’ll ensure that you meet your legal obligations to protect your data subjects, and provide you with the best fit for your business whether that be in carrying out local backups or taking advantage of cloud-based solutions. We’ll also help you cut across that daunting array of technology providers, and provide friendly and informed advice based on our understanding of your business and our knowledge of the solutions of our vigorously-selected technology partners.
IT’s About Time you secured your crown jewels, while ensuring that your users remain motivated and dedicated with the tools they need to work safely and securely anywhere from the bath to an aeroplane, and everywhere in between.
References and further reading