John-Paul Sikking, security lead for Cisco NZ, uses this example to emphasise how ICT departments can underestimate the extent of ‘shadow IT’ in their organisation.
The term refers to IT services that are implemented without the knowledge of or sanction of the ICT department.
He says most of the users of these cloud based services have no malicious intent. “They are just trying to get IT in a simple way,” says Sikking, who spoke at the recent CodeBlue Connect lunch in Auckland.
Some examples are people forwarding office email to Gmail so they can access these while travelling, or “throwing things” or sharing files using DropBox.
“The key thing is try to understand as an organisation, what your level of exposure is to these cloud based services,” says Sikking.
He says there are tools now to do this. An example is Elastica, which can audit the company’s exposure to cloud providers, and put controls in place.
Cisco’s approach is to provide alternatives. For sharing files, they use Box which has a lot more security controls around it, says Sikking.
Users are becoming complicit and aiding attackers.
“The technology is there,” he says. “It is now just a matter of saying, is this a concern? If yes, let us put a strategy or policy on how we are going to do that, and employ the technology to do that.”
Related: Using shadow IT to your advantage
His presentation likewise focused on the need to educate users on the cybersecurity implications of their actions.
“We are getting more lax as users,” he contends.
He says one survey shows 23 per cent of recipients now open phishing messages and 11 per cent click on the attachments. “Users are becoming complicit and aiding attackers."
As he points out, online criminals rely on users to install malware or help exploit security gaps.
Users’ careless behaviour when using the Internet, combined with targeted campaigns by adversaries, places many industry verticals at higher risk of web malware exposure, he says citing the findings of Cisco’s 2015 Security Report.
He says malware creators are using web browser add-ons as a medium for distributing malware and unwanted applications. This approach is succeeding because many users inherently trust add-ons or view them as benign.
Education is important, he states. “If a user is stopped from going into a site, explain why.”
Send news tips and comments to firstname.lastname@example.org
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.