Company sponsored shadow IT – “(BYO) USB stick to share company data”
For years we are discussing shadow IT as something we need to fight against, find solutions to prevent it. Shadow IT is what happens when IT is not able to offer a solution. Users will find ways to do things like water will find its way in the ground. The risk with shadow IT is that it doesn’t honour the security rules. We educate our customers that they need to have Enterprise solutions in place for the use cases that are subject to Shadow IT. If we look at Enterprise File Sharing solutions I notice that the USB data stick is on the rise again. Its a statement I know but I’m gonna say it anyway – “Companies sponsor shadow IT if they decide to allow USB stick instead of a Enterprise File Sharing Solution (EFSS)”. The end user is not to blame here, they need a solution to share data. They turn to IT for this and expect a easy to use solution. IT should provide the easy to use solution and make sure it is safe to use. It is concerning to see that I see a different movement in the market, the easy way out.
Penny wise pound foolish
There is a saying in English “Penny wise, pound foolish” and I think that in this scenario it is more true than ever. It might look like a valid solution to offer the use of USB stick, secured or not for data transfer. That would be a valid reason when the data is personal data but one could debate if personal data should be made available on a company network, I would vote against that. So if we rule out personal data usage there is only one other kind, company data. Company data has different classifications (e.g. what is shareable and what surely is not) and you do not want your data in the hands of people who shouldn’t have access to it.
In todays world there are many threats and data theft, data hijacking is becoming more and more common. Data and identity theft are the biggest threats I see in the next decade. Companies are forced to pay ransom in they want to regain access to data when they are infected with ransomware. Ransomware is becoming more advanced and every one who had the pleasure of visiting a session of Mikko Hypponen or Lovissa Bonnevier know that data theft or being subject to ransomware should not be taken lightly.
One thing that is forgotten at that moment is that the company and not the user will be held accountable. The company is responsible for securing the data and with the new GDPR (General Data Protection Regulation) regulation coming up in 2018 even more. I’m not a GDPR expert so I leave the impact of GDPR to the expert. what I know about it is that you need to make sure you know what to do with your data, access to it and how you will react when a breach is detected. Well the breach is in my point of view also the USB stick, you can’t say you have control when you allow those to be used…. but that is just my point of view…
In 2016 over a 100.000 reports are known of USB leaks. In The Netherlands where I’m from we have a law that deals with data leakage – Data leakage law. Companies need to report data leakage within 72 hours of discovery. There are high fines when they don’t report but you can only report a leakage when you know one has happened. With USB sticks that is easy, when someone lost a stick and they tell you, you can report it. The issue here is that your users need to tell you they lost it. most users will not even know they lost something for days and will think it was not that important to tell you, so how can you report it?
Normal breaches in security are not found within 72 hours it might take up to 200+ days before they are discovered as market researches showed. 200 days is a massive time frame, who knows where your data is sold by then and who used your knowledge. But those 200 days is about data breaches in your network, you can protect against that to make it harder for criminals to get access to your data on your network. If however you allow users to copy company data to USB sticks you lose all control of this data. That data is not lost or stolen it is on the move approved by you, and you only can hope the one with the stick in his pants is taking good care of it.
Solution or shadow IT?
Not having a decent Enterprise File Sharing solution is offering a shadow IT option to your end users. It is telling your users that they are in control of your data, “don’t loose the stick, it has precious data on it”. Like you were told by your parents when walking with a glass of soda, hold it still don’t spill it.
Having company data in your possession is more that walking with a glass of water, you would expect a Enterprise class File sharing solution, one that;
- Who is owner of the data
- Who has access to the data
- Who is accessing the data right now
- Who can edit the data
- When will access to the data be closed
- and so on and on…
Control of you data is key. You need to make sure there is a management solution to control access to data. Meaning that users will need to use an something (app, site) to access data just to make sure it’s managed. Of course your users will tell you they can’t work like that. They will say as they also said with two factor authentication once, that it is a burden to work like this. Sure it is a bit more work and you have to preform extra (manual) task(s) to use it but security comes at a cost. Solutions out there are not that hard to use, it just needs a little experience to get used to it. The excuse of having to enter extra authentication details or having to open an app to access data is not a valid reason. Data is a target for criminals these days, data and your identity, so we better make sure we got some Enterprise class File Sharing Solutions (EFSS) implemented to prevent a leak.
There are several Enterprise File sharing solutions on the market, some I will mention right here;
- Citrix ShareFile
- Microsoft One drive for business
- VMware AirWatch SCL
- Google Drive
These are just a few, there are more products on the market, depending on your functional requirements you will find one that fits. this blog is not about finding the best EFSS solution, that would be a white paper. This blog is about the fact that despite there are some good products on the market companies choose to allow USB stick to be used. Perhaps the new laws coming up this will change. With GDPR coming in May 2018 companies need to act, they will get fined if they are not compliant. GDPR and our Dutch Data law are pretty strict so companies have 400+ days to make sure they are ready. File sharing is just one of the topics that needs attention, there is more. I’m not a GDPR expert myself but it would be a good idea if you haven’t yet to read some documents on this.
One last word about this…
Make sure you are in control of your data and stop sponsoring this shadow IT offering, there are solutions out there who can offer the functionality securely. If you have a chance go and see Mikko and Lovissa and hear about the threats and GDPR, it’s here and it’s staying, be prepared.
One tip that I gotten from Lovissa’s session is that instead of doing a checkbox compliance you better implement a security policy as that will fill the checkboxes and will result in a real solution.Her observation was that companies do like they do most, we need to comply to have the checkboxes checked. The idea of the regulation is that you have a policy around data not that you learned how to write 10 lines to comply with a checkbox.