More employers are allowing workers to “BYOD”—bring your own device—into the workplace. But some downloaded apps, shared between work and personal devices, can cause trouble. Just this month, the popular Evernote app was hacked, requiring a reset of more than 50 million passwords.
The term "shadow IT" refers to the proliferation of solutions and systems downloaded by employees and used in the workplace without the knowledge or support of IT. These apps can be for work or personal use, and can be loaded on PCs, smartphones or tablets connected to corporate networks. PricewaterhouseCoopers' "Digital IQ" survey estimates that among top performing companies, IT controls less than 50 percent of corporate technology expenditures.
“It’s typically cost efficient to allow employees to bring their own devices and use them at work rather than supplying them with expensive devices and contracts,” said Michael Born, VP and account executive, Lockton Global Technology & Private Practice. “But with this loosening of IT control comes the potential for oversight over how these devices can be used. When employees mix personal and business use on a device, there are obviously vulnerabilities, as personal-use apps could bleed over into confidential business on devices.”
Although employers can restrict app downloads on company desktops and issued phones, it’s a different story with personal devices, Born said. And while it’s difficult to point to any particular apps as being especially vulnerable, no app is foolproof, he said. Social media apps are one of the most frequently breached, and entertainment apps are probably not as secure as apps dealing with sensitive data.
Employers are caught between "a rock and a hard place" when it comes to BYOD, said Rick Gilman, president of RGG Communicatinos. Although the practice presents risks, returning to the “Orwellian” approach of all-employer-controlled technology is no longer a viable business model.
“Management needs to first put a reasonable policy in place that, as a compromise, identifies the apps that are approved while trying to be as open as possible,” basing its decision on staff input. Second, “IT needs to build into their strategy and budget enough to deal with occasional breaches as well as enact some sort of education of staff to teach them what to look out for and what things not to do.”
Skyhigh Networks, which helps IT departments discover and control these shadow apps, came up with a list of the top 50 shadow IT apps that employees use at work.
Here are the top 10, in order of how many people use them. And see the last page for tips on how to protect your business from shadow IT issues.
Everybody’s favorite social media platform is a frequent target for hackers--as well as user concerns about Facebook’s own use of their personal information. According to CNN, an Eastern European gang of hackers was responsible for recent attacks on Apple, Facebook and Twitter. Hackers were looking for research, intellectual property and other data they can sell on the underground market.
Many mobile apps are designed to collect information from the user’s device as app developers seek to gain information from users, Born said. This information isn’t always appropriately gained: last year users filed a class action lawsuit in Texas against 19 mobile app developers—including Apple, Facebook, Yelp and LinkedIn--for surreptitiously accessing address books. “Developers may be phishing around in your mobile device without you knowing it,” Born said. “Although it’s a best practice to let you know, they don’t always do that.”
This app, popular for both personal and business document sharing, has been called the “problem child” of cloud security by VentureBeat because of its frequent data breaches of user names and passwords—even after Dropbox executives said the problem was solved.
Today’s mobile devices like smart phones and tablets have incredible storage power compared with 10 years ago, Born said. But this same capacity, which makes them valuable tools, also renders them more vulnerable to security breaches.
The ubiquitous Gmail was part of a massive data breach in July 2012, when more than 450,000 email addresses and passwords were compromised through Yahoo. The hack also affected Hotmail and AOL accounts.
App developers can search through a smartphone, tablet or mobile device when an app is downloaded and used, Born said. This practice makes it easier for hackers to access devices, but even if they don’t, simply downloading an app means the app has already gotten past the mobile device’s security password and firewall requirements because the user has agreed to installation and use. “If a hacker can access that app through a security vulnerability in programming or software, they’re now inside your device and can fish around in other areas,” he said.
In a big-name breach last August, a malicious hacker gained access to Wired reporter Mat Honan’s iCloud account and used it to remote-wipe all of his devices, including his iPhone, iPad and MacBook Air. Honan posited that the breach occurred when the hacker scammed Apple’s tech support to access his password.
Although most users are wise to generic phishing tricks, “spear phishing” attacks—scams designed specifically for the person receiving the message—can often trick the unwary into clicking malicious links, Born said. For example, if you have the SoundHound music recognition phone app, crooks can customize a phishing message based on your personal information and preferences and entice you into unwittingly clicking a malicious link.
A highly publicized 2012 breach of the popular professional social media platform resulted in a $5 million class action lawsuit (since dismissed) and a LinkedIn corporate loss of as much as $1 million to add security layers to the site.
Disqus is the online discussion and commenting service.
Using a social networking page or app in connection with a business device or operations in general can lead to accidental or intentional disclosures—such as an employee posting a business-related comment on a social networking site and violating the employer’s confidentiality agreement, Born said. This is especially tempting to do on the fly with a mobile device.
The customer relationship management (CRM) sales and marketing tool reported data breaches linked to phishing scams in 2007 and 2012.
“Mobile devices here to stay; soon we will do everything with mobile device, from paying at stores and paying bills,” Born said. “It’s not something we can resist. We must embrace it but must also understand risks and exposures that come with it, and apply insurance solutions when necessary to help transfer that risk.”
Amazon Web Services
Amazon Web Services (AWS), a major user of cloud data storage, has suffered huge data breach hits, including a Zappos hack that affected 24 million users.
Mobile is here to stay, and current and future employees will demand job flexibility, Gilman said. “Job loyalty among Generation Z is less about money than it is about workplace environment, corporate culture, community responsibility, all the ‘soft stuff.’"
Hotmail was part of a massive data breach in July 2012, when more than 400,000 email addresses and passwords were compromised through Yahoo. The hack also affected Gmail and AOL accounts.
Box, a mobile app that allows remote file viewing and sharing, is subject to the same types of vulnerabilities as other file sharing apps.
Given the vulnerabilities inherent in mobile apps, what can employers do to protect themselves against data breaches? See the next page for suggestions.
Lockton’s Born recommends employers take the following steps to protect themselves against “shadow IT” threats:
- Assess the risk. If the employer deals with a lot of sensitive information like financial or healthcare, management must weigh risks and benefits of allowing employees to use personal devices for work.
- Restrict the use. Even if employees are permitted to use personal devices for work, employers can restrict the information they can put onto those devices, such as more sensitive files.
- Encrypt when needed. If employees are sending and receiving company email on their personal devices, employers can require that the emails be encrypted. However, policing compliance can be a challenge.
- Educate everyone. Educating employees on the risks of BYOD is one of most important things employers can do. Make it clear that if an employee receives an email or notice that apps on their personal devices may have a security vulnerability, tell them to download the patch fix, delete the app from the phone, and contact IT.