How to stop a 'Hillary' in your organisation
Stacy Leidwinger looks at the Hillary Clinton email scandal and how companies can avoid the potential security risk of staff using shaddow IT.
Stacy Leidwinger, VP of products, RES
It has been widely reported that Hillary Clinton has a penchant for using her personal email address for work-related purposes. However, the security vulnerabilities exposed by this practice are the most worrying element. Especially when it is known that hackers routinely targeted Hillary's at-home servers, potentially exposing “top secret information.”
For companies, this should set alarm bells ringing. If the former secretary of state and potential president can be haphazard enough to overlook cyber-security and be the subject of a hack, then it could very well be happening within millions of offices globally.
It is not just about emails. What Hillary was practicing is ‘Shadow IT', whereby an employee installs, adopts or uses an IT solution or service that has not been approved by an organisation because it is perceived to be easier, quicker or more suited to their needs.
As more employees use unapproved and unchecked services, the IT shadow extends, introducing new security vulnerabilities by reducing IT's visibility into where and how corporate data is used and exposed. With this in mind, how can companies prevent instances such as Hillary's from making their business vulnerable to attack?
Firstly, organisations need to acknowledge that in the age of mobile working, employees are constantly seeking technology to improve their working lives. If businesses are not providing the best IT solutions, then workers will find an alternative, regardless of whether or not it is approved. After all, how many of your colleagues are using Dropbox or other unauthorised cloud technologies for storage and document sharing?
Companies need to empower their workspaces and their employees. Organisations that embrace the digital age – by offering workers the right access to apps, services and devices based on their context and needs – are less likely to experience IT shadows. Once this is in place, it's important to implement safety controls to secure the working environment. This means enabling workers with a level of digital freedom but doing so in an environment where apps and services are approved, secured and under the jurisdiction of the IT department.
Despite the fact technology is prevalent in our everyday lives, the majority of employees are still cyber-security novices and often do not understand the potential consequences of their actions. To ensure employees are working within a safe environment, it's imperative companies create a secure digital workspace.
There are several ways to achieve this. First, limit employees to only access approved apps and websites that have been vetted as secure. This can be done through specific capabilities such as application and website whitelisting. Companies should also be adding context-aware controls so secure apps can only be accessed from secure locations. Finally, it is also important to think about the employee lifecycle. Once an employee has left, all access must be revoked immediately.
The next step is providing greater visibility through usage governance practices. Hillary's situation could have been avoided had the IT department had better visibility into what outside websites she was visiting and if her usage of corporate email systems were on target or not. By monitoring whether individuals are irregularly using, for example, their work email addresses, organisations can more easily identify potential vulnerabilities quickly.
Learning from the mistakes of Hillary's campaign, companies should look to create a seamless way of tracking the use of apps, services and systems. Then, any rogue behaviour can be spotted sooner rather than later and resolved.
Furthermore, when it comes to Shadow IT, automation is key. Individuals should have access automatically granted based on their roles, their identity and their context. By delivering the right apps and services, at the right time based on a user's identity, organisations can make sure that individuals are less likely to seek alternatives. Automation also brings standardisation and compliance in the way access is granted and revoked.
Lastly, organisations should provide self-service capabilities. The process of requesting an app through IT is often considered long-winded and cumbersome. But, self-service can resolve this. By providing a single location where workers can request access to apps and services that can then be automatically delivered, employees are less likely to adopt a DIY ideology, and IT will have a clearer overview of their security status.
So what is the secret sauce to curing IT shadows? Simply put, it is a combination of security, automation and self-service. Together the balance gives employees what they need to be productive in a secure way and handles exceptions through self-service. If this recipe doesn't exist, then IT shadowing will spread, and once this happens it is extremely difficult to rewind the clock and keep IT under control.
Contributed by Stacy Leidwinger, VP of products, RES