Cyber-security and the problem of personal accounts

Adam Pilton at CyberSmart explains the dangers of shadow IT for small businesses

Working in an SME, it is critical that everyone pulls together in order to ensure that the business continues to function. Without the people, resources or structures that large organisations have in place, job roles are often blurred, protocol can be swerved, and employees will find workarounds in order to ensure that tasks are completed. 

When it comes to IT and cyber-security, this is particularly true. If an SME employee finds a piece of software, a tool, or an application which they believe can make their job more efficient, then they are likely to want to use it.

This well-intentioned desire to streamline efficiency however can have negative effects.

The hidden cost of unknown IT

This negative effect is known as ‘shadow IT’ and can be defined as using an IT tool to complete your task, without express permission from your IT team or senior leadership. 

While this in many cases may seem harmless, there are a number of reasons why the use of shadow IT can be damaging to an organisation. 

If someone without the requisite IT knowledge downloads and implements the use of working software (such as Slack, Asana or Trello) then they may inadvertently set up this software without configuring appropriate security settings. This has the potential to place the organisation’s data at risk.

I have spoken at events about investigations that I have conducted whereby an overworked solicitor who was unable to complete their tasks within working hours from the office, used their own credentials to set up an email address and cloud storage in order to complete their tasks at home.

This raises multiple concerns from a security perspective. Personal accounts and credentials cannot be monitored for security issues. Should either the personal cloud storage repository or the personal email be compromised, then the corporate data has also been compromised. 

Many regions have extremely strict regulatory frameworks for the processing of data held by a business. If employees are inputting data into an unauthorised system, there is no guarantee that this data is being processed according to the regulatory standards of the region in which you’re operating. 

Avoiding shadow IT mishaps

The best methods for small businesses to ensure that their employees do not unwittingly create any of these scenarios as a result of their use of shadow IT can be summarised by focusing on a few words: Communication, Culture and Processes. 

The ability of IT departments at SMEs to effectively communicate with their employees is crucial. If an IT team are in regular contact with team members about the kind of IT issues they are experiencing, any potential friction with existing tooling or processes, and are undertaking regular audits of existing IT infrastructure, then employees should have the appropriate channels by which to voice any requests, concerns or issues to IT instead of attempting to fix the problem themselves, without the requisite knowledge to do so. 

Additionally, ensuring that IT teams develop appropriate processes for onboarding new staff, and new technologies will help to ensure a process by which new IT infrastructure, technologies, processes or ideas can be suggested. 

This will not only work to practically prevent potential issues from arising with Shadow IT, but will also work to foster something which is an overarching part of all IT conversations that SMEs should be having with their staff: a culture of security. 

By working with IT teams, and if necessary, cyber-security specialists at managed service providers or in-house, SMEs should work to ensure that everyone within the organisation feels empowered to take ownership of the organisation’s cyber-security. This can be done by ensuring that nobody feels they will be penalised for asking security questions, and by providing security training which aims to demystify cyber-security.

Government schemes such as Cyber Essentials have been extremely successful at providing a cyber-security baseline for small businesses, but there is further to go. If this culture can be created, then cyber-security can become another shared goal at SMEs which all employees are pulling towards. 

Adam Pilton is Senior Cybersecurity Consultant at CyberSmart 

Main image courtesy of iStockPhoto.com and Edwin Tan