Protecting Sensitive Information in a World of Shadow IT

Jeremy Wittkop, CTO

12.11.2019

Pop Quiz:

When your employees need a particular software application to meet a critical work deadline, what are they most likely to do?

  1. Contact IT for authorization, then get on the admin’s schedule to have the software properly installed and configured for data security.
  2. Download the handiest free app and keep working.

You already know the answer, don’t you?

It’s not surprising to any information security professional that users routinely work around IT processes when it’s convenient to do so. It might be surprising to learn just how much that activity impacts your business.

According to the Symantec 2019 Cloud Security Threat Report, most organizations think they use about 452 unique cloud applications. In reality, that number is 1,807. That means the majority of cloud services in a business are not known to IT—creating significant risk.

The gap between known and unknown applications and services is growing, and security complexity is outpacing the security capabilities of most organizations.

 

Cloud Services Complicate Data Security – and Increase Data Risk

Some of the cloud services in use are legitimate. The cloud offers businesses economies of scale and cost-effectively streamlines and simplifies operations. However, more organizations are storing, using, and sharing their most sensitive information in cloud applications. The SANS 2019 Cloud Security Survey reports that more than 75% of surveyed organizations use cloud-based business and analytics applications, and nearly half of companies use cloud resources extensively for storing and archiving data including intellectual property, personal customer information, and employee records.

Symantec’s research shines a light on the level of risk associated with this extensive and often unmonitored use of cloud applications and services. The 2019 survey reveals:

  • 64% of cloud security incidents happen when attackers find a convenient open door (unauthorized access) that allows them free movement in company systems.
  • The third most common threat to cloud infrastructure is accidental exposure by trusted insiders.
  • 68% of all organizations have evidence that data stolen from them was for sale on the Dark Web.

IT and information security resources are often already strained as they work to maintain data security for known and authorized cloud services. How can they keep up with the avalanche of threats generated by shadow IT?

 

The Complexity of Data Protection: We’re Not Inside the Perimeter Anymore

Traditional information security strategies focus most of an organization’s attention, resources, and budget on firewalls and network protection in an effort to prevent attackers from getting inside the “perimeter”—an imaginary wall around the organization and its data.

However, neither users nor malicious actors recognize that perimeter anymore. Although protecting your network is still highly important, attackers can find avenues to access sensitive information and intellectual property through personal devices, Internet of Things (IoT) devices and equipment, cloud-based software, unapproved applications, and even decommissioned software and equipment.

But how can your teams secure applications they don’t even know they have? Simple: They can’t.

 

Five Steps to Reining in Shadow IT

If your organization is just starting to address the problem of shadow IT—or if you’ve been trying to deal with it unsuccessfully—your teams may be overwhelmed by the complexity they discover. However, even though the problem may seem to have a life of its own, you can address it in a systematic way—and find avenues to effectively protect your data while still empowering your users.

1. Start with discovery

A detailed security assessment can get you started by providing information and insights about how employees and other users are working in the cloud, what applications they are using, and how they work with and share data. Look for services that include a thorough assessment of your:

  • Internal, external, and cloud infrastructure
  • Desktop, web, and mobile applications
  • Web services
  • Device and software configurations
  • User endpoint and server builds
  • Cloud services configuration

2. Identify your critical data assets

Critical data assets are more than just data protected by security regulations. Think about the kind of sensitive information that would cause your business substantial or irreparable harm if it was lost, stolen, or compromised, including:

Trade Secrets:

  • Product formulas
  • Designs and innovations
  • Pricing strategies
  • Manufacturing plans
  • Client information
  • Research and development information

 Compliance Data:

  • Personally Identifiable Information (PII)
  • Protected Health Information (PHI)
  • Payment Information

3. Establish a granular data protection program with comprehensive policies

Once you have established what data to protect, you can set up program that marries process and policy.

  • Process will define what business outcomes the organization needs in the event of a security violation.
  • Policies will ensure those needs are met.

Policies are essentially rules that automate how data can be used, stored, and transmitted. Those automated policies can be fine-tuned and adjusted over time to find an optimal balance between your data protection and business operation needs.

4. Choose the right tools

Ensure that the data security technologies you select are suited for the level of complexity in your working environment. A vendor-agnostic review of your existing tools and other available technologies—performed by a knowledgeable professional services provider—will ensure you have the means to put the proper security controls in place to protect your company’s most critical data assets.

5. Monitor and educate users

Look to technology solutions such as User and Entity Behavior Analytics (UEBA) to monitor user behavior and quickly identify user errors and anomalous actions that indicate a risk or threat. And make employee and user education a priority. Users can be a weak link—or they can be a strong ally in an effective data protection program.

 

Keep Data Protection Effective: Tap into Experience

Remember that you don’t have to accomplish these steps alone. An experienced managed data protection services provider has the depth and breadth of knowledge to provide security guidance, strategy, and implementation—and help ensure your organization understands who is using sensitive information, how it moves, and where it’s at risk.

Cloud-based software and services enable convenient, efficient, and cost-effective business operations. You can embrace them—with the right data protection program in place.

 

How Is Your Data Security Posture?

The data protection experts at InteliSecure are ready to help you understand your data security posture, evaluate potential risks, and determine the right steps to establish an effective managed data protection program. Contact us for a no-risk security assessment.