A note to CEOs: Shadow IT is not someone else’s problem

Trends like bring your own device (BYOD) and bring your own app (BYOA) – or shadow IT as some industry observers call it - are fast spreading throughout the workplace.

On the whole, they are welcomed by the enterprise for the additional flexibility and productivity benefits they bring.  After all, letting employees use their own phones and apps for work tasks saves time and investment on new IT, right?

But there’s a catch.

Alongside the benefits, shadow IT is also allowing fresh vulnerabilities into the enterprise; and a whitepaper just published has a stark warning for any CEOs who may think shadow IT is not their problem.

Professor Alan Woodward, a leading cybersecurity expert at Surrey University, U.K., and co-author of a new report Hacker-nomics: Introducing the Dark Web says company bosses often have too lax an attitude when it comes to their own behavior and devices. They’re often the “worst culprits”, he says.

“I’ve heard many CEOs complain that they have to have a six-digit PIN or that their phone is auto-wiped because they entered the wrong code three times,” says Woodward. “They particularly hate being locked out of their phone after a short period of inactivity.”

Too many CEOs believe in one rule for them and another for everyone else.

They are only too conscious of the threat from malware being brought into the business on a personal device, or company data being lost an employee’s private phone or laptop. But by opting out of the security procedures and protocols prescribed for the rest of the staff they risk being fooled by phishing scams, dodgy links or malware attachments themselves.

It’s odd because if they were to get caught out they would have a lot more to lose than everyone else.

The point is that unless CEOs take a personal interest in BYOD and BYOA security then, far from saving money, they could actually end up being very costly indeed.

Woodward agrees. “We have seen so many problems with apps being infiltrated with malware that it is tantamount to throwing away all of your perimeter security”

“Nevertheless,” Woodward adds, “for some decision-makers having an integrated security platform for mobile devices will seem like an unnecessary expense.  Yet, as phishing campaigns like Gooligan show, cybercriminals are increasingly targeting mobile devices as the weakest link in commercial defenses.”

One of the most successful digital scams of recent times is the business email compromise (BEC) and it’s coming to mobile. BEC is when an email, typically from the CEO, is received by someone in the finance team asking for an urgent transfer of funds. As the instruction has come from the top, the diligent employee gets it done straight away. The only problem is it’s a fake.

As soon as the money is transferred, it’s moved on and the initial beneficiary account closed down.

In recent months the number of victims of CEO phishing fraud has reached epidemic proportions. The FBI has stated that fake CEO scams now account for crime worth $3.1bn with more than 20,000 reported cases in three years.

This serves to highlight just how broken email is as a business communication channel. Now, hackers want to compromise shadow IT collaboration and messaging apps in the same way.

Numerous scams have already occurred on popular consumer apps like WhatsApp and Facebook Messenger. Some scams use fake links while others hide in image files to install ransomware on a mobile device. From there it’s a short step to finding its way in to the corporate network. 

Consumer group messaging and chat apps have no place in the enterprise. Their settings are basic and in the hands of the everyday user rather than IT professionals. Furthermore, there is no way of knowing if other users are trustworthy and no control over where messages are stored.

Don’t let shadow IT undo all your cybersecurity efforts. Make sure you take back control of group collaboration and messaging before it’s too late. Move to a centrally managed platform that has enterprise-class security built-in.

Like it or not, shadow IT is as much the CEO’s problem as anyone else’s.

Related Stories

Leave a comment

Alternatively

This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.