Missed our webinar? Don’t worry! We recorded this for you: Click here
How to turn the potential threat of Shadow IT into an advantage?
In our webinar we looked at the hidden threat at the heart of many Irish organisations that is shadow IT, i.e. the use of software or systems that are not authorised by the IT department. The growth in cloud services has made it extremely easy for users to access unauthorised programs, and as a result we have reached the point at which Cloud Shadow IT now poses a significant threat to Irish organisations. Companies need to decide how best to deal with shadow IT trends in their organisation but the best option might not necessarily be to clamp down on users.
When it comes to dealing with the threat of shadow IT, it’s important to first understand the reasons behind its spread. In the majority of cases it stems not from malicious intent, but rather from employees aiming to be proactive and implementing software that they feel will benefit their organisation. The proliferation of cloud services has made it easier than ever for users to implement unauthorised apps, as they typically only require a browser rather than any installation of programs on local devices. However, in doing this, many employees unintentionally turn to unauthorised programs while attempting to fill a perceived gap in their existing software suite.
Security awareness training is crucial
When deciding on the correct approach to effectively tackle shadow IT companies need to ensure that they bear this in mind, and create a culture of acceptance and protection rather than one of detection and punishment.
Employee education is central to developing such a culture. Providing your employees with security awareness training that gives them an overview of the reasons for the existence of particular security processes can help them to appreciate the necessity of adhering to company policies.
Identifying unauthorised apps
As well as ensuring that your team is aware of the inherent risk associated with cloud shadow IT, it’s also important to make certain that you have oversight of the apps that are being accessed on your network. Utilising a tool such as Microsoft Cloud App Security (CAS) can give you the visibility and control that you require.
CAS allows you to collect information from firewalls and proxies and identify exactly which apps are in use from your network. This can help you to assess risk, and also identify which users are utilising apps that fall outside company policy.
Having identified individual users who are using cloud apps without the authorisation of the IT department it is a good idea to ask them to outline their reasons for doing so, in order to establish whether or not there exists a genuine need for such an app. If it transpires that providing employees with access to a particular app would be likely to increase productivity or have an otherwise positive effect on the company then it might be worth reassessing current policies and investigating the possibility of integrating this app into your overall software suite. Doing this will help you to ensure that these programs are contained within your security infrastructure, rather than existing outside it in a position that could leave your network open to vulnerabilities.
When seeking to on-board CAS initially it’s a good idea to take a phased approach, utilising the tool as a proof of concept to increase visibility over the network and justify an ongoing governance and compliance strategy.
ISO 27001 and GDPR
General Data Protection Regulation, which comes into force in May 2018 will require organisations to know precisely where their data is stored. The unauthorised use of cloud storage solutions could result in organisations being unable to track exactly where their data flows, leading to them being considered non-compliant, This could leave companies open to fines of €20M or 4% of global turnover, depending on which is greater. This highlights the need for Irish organisations to tackle shadow IT tendencies sooner rather than later.
Using solutions like CAS can be a powerful and effective way of uncovering the movement of data from your network to cloud services. Following the initial discovery, organisations should continue to use CAS to perform their due diligence, to regain control over their data flows and ensure ongoing governance and information protection.
A good approach to ensuring GDPR compliance is to employ an overarching framework such as ISO27001 to ensure information security best practices are in place from an early stage. Striving to adhere to a standard such as ISO27001 will help you to uncover and effectively deal with shadow IT practices that exist in your organisation.
Acting now and taking the right approach can not only help you to identify software that may benefit your organisation, but also help you to take the initial steps towards GDPR compliance.
Ward Solutions can help companies to tackle cloud shadow IT practices, using Microsoft Cloud App Security to regain control of the software being used from their networks. Ward’s expert team also provides comprehensive consultancy to help Irish organisations become ISO27001 and GDPR compliant. E-mail cloud@ward.ie to find out how we can help you.
[lab_subscriber_download_form download_id=3]
By providing the contact information above, I agree that Ward Solutions Limited may collect, use, disclose and retain my personal data, which I have provided in this form and share it with third party organisations through which Ward carries out it’s marketing further details of which can be accessed at our website www.ward.ie, for providing marketing material, in accordance with the Data Protection Acts 1998 – 2003 and our privacy/data protection policy (available at our website www.ward.ie).
If you do not wish to receive this information please e-mail us at privacy@ward.ie.
-
Insights