The Panama Papers should be a wake-up call to every CEO, COO, CTO and CIO in every company.
Yes, it’s good that alleged malfeasance by governments and big institutions came to light. However, it’s also clear that many companies simply take for granted that their confidential information will remain confidential. This includes data that’s shared within the company, as well as information that’s shared with trusted external partners, such as law firms, financial advisors and consultants. We’re talking everything from instant messages to emails, from documents to databases, from passwords to billing records.
Clients of Mossack Fonseca, the hacked Panamanian law firm, erroneously thought its documents were well protected. How well protected are your documents and IP held by your company’s law firms and other partners? It’s a good question, and shadow IT makes the problem worse. Much worse.
A personal example: One of my consulting clients wanted me to help out with a research project for which there were many, many reference files that contained important intellectual property, such as product plans, launch dates, marketing proposals and so on.
How did we share the data? The team I was working with already had a “shadow IT” Google Drive for this project. They found it much easier to use than their official corporate document sharing platform, SharePoint. So, they simply shared the Google Drive with me and with several other consultants. Does their IT department know, or their information compliance department? I haven’t asked, but my guess is, “heck no.”
How do I communicate with my client about the project? Email is the usual vehicle. However, sometimes we use Google Hangouts for video chats, and—believe it or not—Facebook Messenger. Their chief information security officer (CISO) shouldn’t be happy about that, even though I’m totally an upright, trustworthy fellow.
Why do employees use shadow IT? It isn't because they are intentionally trying to harm the organization. The biggest reason is convenience: The employees have a job to do, and whatever helps get the job done fastest is good. There’s no doubt that it’s very fast to set up a Google Drive, Dropbox or Microsoft OneDrive—and much easier than setting up a SharePoint file share, especially when you need to include individuals outside the organization.
There are numerous situations where this becomes, well, sloppy. For my own business, correspondence with my CPA and attorney are over email. Sure, sometimes we password-protect the documents, but are they secure? Are they secret? Are they safe? Not really. Breaking the password on a PDF is almost always child’s play. My CPA sent over my 2015 tax documents in a password-protected PDF, and I was able to unlock it in about 10 seconds without using the password. And I'm not even a real hacker.
Business-class tools built for both ease of use and security
The shadow IT problem is real, especially since there are so many free products that work so well. It’s incumbent on IT staff to ensure that officially compliant tools are not only official, but also easy to use and configure. Make no mistake: Except in some highly secure, regulated environments, simply running training sessions that hammer the point that “Loose Lips Sink Ships” won’t get the job done. Technological countermeasures against unapproved applications will work up to a point, but they will cause anger and resentment. Sure, you can block access to Dropbox or Snapchat at the firewall. And maybe you should. But is that the best way? And what about all of those mobile devices?
The first place to start is by examining the collaboration and communication tools that are already installed. They must be secure—that’s a given. They must be functional—that’s also a given. But they must also be easy to use, customize and configure. I have a client where we use Yammer—and yes, I was given an official login to their Yammer system. It drive me crazy, and it drives that company’s employees crazy, too. Frustrating, non-intuitive. I wouldn’t be surprised if someday they set up a shadow IT solution.
The second is to consider adding new tools that truly are built with security, functionality and ease of use in mind. For example, Box is a cloud-based storage and file-sharing system that is very easy to use and quite secure by design, with excellent policies for managing information access. Currently none of my clients use Box, which is a shame.
Another tool is secure messaging and chat. How secure is Facebook Messenger? It's fine for consumers, but would you trust it for the enterprise? I wouldn't. Text messaging? Apple’s cloud-based Messages and its predecessor, iChat? They’ve been around for years and are excellent shadow IT solutions. They’re not appropriate for corporate messaging—no logging, no controls and would be a nightmare if you need to do e-discovery or are chosen for a compliance audit.
Microsoft’s Yammer is probably the most secure broad-focus collaboration platform, and it has all the policy-based security most organizations should ever need. But it’s very frustrating to use.
An alternative is Symphony, which is very easy to use and secure by design. It’s popular in the financial industry because it meets their compliance needs. We use Symphony within my own company; the only drawback is that it works with a limited number of browser clients. On my Mac, I have to use Symphony with Chrome because it doesn’t yet support Firefox. Hopefully that will change soon.
Another collaboration platform worth investigating is Ribose. While it is more focused on the consumer market and in small businesses, it can provide a safe place for workers and contractors to gather without using email or a cloud-based file-sharing service, while keeping information in a secure environment.
The right applications are necessary but are not sufficient
It’s easy to write compliance documents and policies. In most organizations, it’s easy for employees to ignore them—and share documents willy-nilly with people who shouldn’t receive them. And when documents leave your organization, you have no control over what happens next—as the Panama Papers fiasco showed.
Here’s what you need to do: Find good secure collaboration tools. Make sure employees like those tools and can get their job done. Emphasize that communications and documents should be shared internally and externally only by using those tools, so that you can maintain ownership and control of your data.
And be eternally vigilant. You’d hate for the financial data you share with your accountant or the patent application you share with your attorney to become public if (or when) they get hacked. It’s up to you. What are you going to do about it?