Shadow IT horror stories: the risk of going rogue

7 February 2018 by Mark Williams

As a business owner, you want secure data and happy employees. Having both, however, is harder than it sounds. To secure your data you need to impose restraints, but to make your employees happy you need to embrace flexibility.

To paraphrase Bill Gates, a lazy person will always find the easiest way to complete a job. While your employees might not be lazy, the harder you make it for them to do their job – such as insisting they use slow or difficult software – the more likely they are to resort to rogue or 'shadow' IT. In fact, more than a third of CSOs believe individual users frequently deploy their own applications without consulting their IT department first. 

New call-to-action

The risks

Instances of shadow IT are often not malicious. The employee isn’t trying to sabotage the company – they just want to make life easier. But the reality is that shadow IT carries serious risks and by 2020, a third of successful attacks on businesses will be via shadow IT apps and resouces (Gartner). 

Unknown ownership

A common case of rogue IT is document storage apps. A 2016 survey of IT professionals found that 83 percent of employees use apps like Dropbox and Google Drive to store company data - and 71 percent said they'd been doing so for two or more years!

It's likely that at some point, your employees have used private Dropbox or Google accounts to store company information or save confidential files to a shared-access drive. If that practice continues, you'll eventually have no idea who has ownership of what. That's what one company, who entered their story in the Rogue IT Horror Story Contest, painfully learned:

‘A company user downloaded a sensitive high IP design document from company's SharePoint site using his mobile device while he was connected to the company's Wi-Fi network. He accidentally copied and stored this sensitive document into a Dropbox location from his mobile device, sharing it with people outside of the company who shouldn't access this document.’

Diminished security

Your security measures, such as antivirus software or firewalls, are in place for good reason. They not only prevent outside attacks but also reduce the chance employees will cause an internal breach. As a result, they can get in the way of an employee looking for a shortcut:

‘We had a new client once who had an employee take it upon himself to edit their firewall and DNS to allow for better performance. As a result of this ‘tweak,’ the entire internal network was given public IP addresses and 100% exposed to the internet,’ says Nick Espinosa, Chief Security Fanatic at BSSi2.

Leaked data

When employees cut corners they very rarely consider the security consequences that follow. Unwittingly, they can create unexpected access for outsiders looking to steal sensitive company data. First place in the Rogue IT Horror Story Contest went to one company who had such an experience:

‘A new MacBook owner was frustrated by the lack of Wi-Fi in his office and so invested in a wireless router. The router was so simple to setup – it did not require configuration of wireless or security settings! All was fine, until a few days later, the executive noticed his internet was running slower than usual. Thinking it was just his ISP he ignored it, but after a few days with no improvement he called in a security expert to assess the situation. The expert discovered that someone was sitting in on the local network and had captured, “sniffed”, all of the wireless traffic from the portable router – including all the passwords to the company’s accounting and file server, which were being sent to a server in Asia!’

Good intentions gone awry

More than a third of employees who used rogue IT reported immediate and dire consequences. That said, solving the problem of rogue IT will never be easy because humans will always look for shortcuts. 

Your best bet is to engage with employees. Identify their problem with the current software and try to find a solution that works for the majority. Investing in cybersecurity training is also a good move. 

Beyond that, it’s mostly a case of putting your foot down and laying out the law. After all, whether employees mean to cause trouble or not, you can’t afford to ignore the threat of rogue IT.


New call-to-action

This article was originally published on 24th August 2016, and has since been updated.

Download Pensar's business guide to ransomware

Free email updates

Get useful business IT articles in your inbox as soon as they are published. No spam.
Unsubscribe at any time.