Twelve years with the FBI and I was ready for anything: espionage, massive cyberattacks, Tom Clancy-esque zero-day exploits. I saw some of that, of course, but more often I discovered and rediscovered that it's the simple things that most often cause catastrophic problems — simple things that plague every company.
For example, midway through my stint as a dedicated cyber agent, we responded to a data breach at a well-known company. Private information, much of it highly sensitive, had been dumped into a repository on the open Internet. Was it the result of state-sponsored actors? Sophisticated activist groups? A brute-force login attack?
No. An employee had placed sensitive data in a free cloud storage account, and run-of-the-mill data thieves had simply posted it online. Despite the fact that this storage provider had a high-profile breach only months earlier, the employee didn't change the account password. A million-dollar problem could have been avoided with a 60-second password reset. This is a great example of the three risks I see in most companies.
It's no surprise that as many as 80% of employees use unauthorized services. What is surprising is that companies have known about this threat for a very long time, yet they're still failing to address it. According to Gartner, "Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year."
When employees use platforms that have not been screened or authorized by a company's technology and security team, they're wading into what's known as "shadow IT." And shadow IT makes it much easier for hackers to steal your company's data. For example, employees will always try to increase productivity in any way they can. They'll rely on unsanctioned cloud-based file storage, survey software, or messaging apps if those apps will save them a few minutes. But this kind of behavior opens up the holes that can cost a company millions of dollars and priceless consumer trust. A 2017 study by the Ponemon Institute found that the average cost of a breach is $3.62 million. There's nothing productive about that.
Another true story: During an investigation into a network intrusion at a large company, the network engineering team was using a free chat tool to communicate as they fought to regain control of their network. They had not told anyone about this tool, and they had been using it for months. In fact, it became their primary channel as they chased the attackers in their network. Do you see where this is going?
These engineers hadn't involved their infosec team in vetting the tool, and it was set up insecurely. The attackers had joined the very chat group the engineers were using to try to kick them off, and they were tracking the team's every move. We discovered the intruders only by identifying every person in the chat group and isolating several imposters. After that, we moved quickly to a different communications channel.
In their rush to be productive, the engineers made the problem worse with a sloppy setup of a free tool. The company spent a lot more time and money remediating the breach, and the data loss was much larger than it could have been. They had to spend millions to inform customers and to provide credit protection for those customers.
Squashing Shadow IT
How can your company avoid horror stories like these? Here are four ways to bring security priorities and employee behavior together:
Companies can squash shadow IT risk, but they have to be willing to listen to their employees, create transparent guidelines, and encourage an open discussion on the best ways to be both productive and secure.
Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info.Adam Marrè, CISSP, GCIA, GCIH, is a Qualtrics information security operations leader and former FBI cyber special agent. Adam has more than 12 years experience leading large-scale computer intrusion investigations and consulting as a cybercrime ... View Full Bio