CIO

Don’t underestimate shadow IT in your organisation

Provide alternatives and explain to users the security implications of the practice, says John-Paul Sikking of Cisco

The information security chief of one of New Zealand’s largest organisations estimated the staff use around 600 to 800 cloud services. But after a full audit, the number was over 1800.

John-Paul Sikking, security lead for Cisco NZ, uses this example to emphasise how ICT departments can underestimate the extent of ‘shadow IT’ in their organisation.

The term refers to IT services that are implemented without the knowledge of or sanction of the ICT department.

He says most of the users of these cloud based services have no malicious intent. “They are just trying to get IT in a simple way,” says Sikking, who spoke at the recent CodeBlue Connect lunch in Auckland.

Some examples are people forwarding office email to Gmail so they can access these while travelling, or “throwing things” or sharing files using DropBox.

“The key thing is try to understand as an organisation, what your level of exposure is to these cloud based services,” says Sikking.

He says there are tools now to do this. An example is Elastica, which can audit the company’s exposure to cloud providers, and put controls in place.

Cisco’s approach is to provide alternatives. For sharing files, they use Box which has a lot more security controls around it, says Sikking.

Users are becoming complicit and aiding attackers.

John-Paul Sikking, Cisco

“The technology is there,” he says. “It is now just a matter of saying, is this a concern? If yes, let us put a strategy or policy on how we are going to do that, and employ the technology to do that.”

Related: Using shadow IT to your advantage

His presentation likewise focused on the need to educate users on the cybersecurity implications of their actions.

“We are getting more lax as users,” he contends.

He says one survey shows 23 per cent of recipients now open phishing messages and 11 per cent click on the attachments. “Users are becoming complicit and aiding attackers."

As he points out, online criminals rely on users to install malware or help exploit security gaps.

Users’ careless behaviour when using the Internet, combined with targeted campaigns by adversaries, places many industry verticals at higher risk of web malware exposure, he says citing the findings of Cisco’s 2015 Security Report.

He says malware creators are using web browser add-ons as a medium for distributing malware and unwanted applications. This approach is succeeding because many users inherently trust add-ons or view them as benign.

Education is important, he states. “If a user is stopped from going into a site, explain why.”

Related: John-Paul Sikking: ‘Enterprises need to be asking tough questions, and make everyone accountable for cybersecurity.’

Send news tips and comments to divina_paredes@idg.co.nz

Follow Divina Paredes on Twitter: @divinap

Follow CIO New Zealand on Twitter:@cio_nz

Sign up for CIO newsletters for regular updates on CIO news, views and events.

Join us on Facebook.