This week, many users of the Microsoft document sharing site docs.com were astonished to find that the warning messages that they had read and clicked through when uploading their credit card statements, medical reports, password spreadsheets etc. etc. weren’t a hoax, they were true! Shock, horror, panic.
What did those warning messages say?
Researcher Kevin Beaumont (twitter: @gossithedog) pointed out to the startled and alarmed docs.com flock, that what this meant was, the stuff they posted with default settings was out there like knickers on a washing line. What a surprise.
The jury is out as to why the above advice went unheeded. Is it because of warning message fatigue, laziness or just not thinking things through? Was the ‘do not show this again’ button clicked on first showing with a wrist jerk™ reaction?
This sorry tale raises a couple of interesting points, in addition to the laissez-faire attitude of ‘the user community’;
The first is that the default security of many sites is often wide open, requiring action to restrict what third parties, possibly malevolent (mwahahaha) have access to.
The second is that if there is an easy and convenient way to share information, users will jump at the chance. If this can be used to bypass pesky and inconvenient controls on, for instance, a business machine or even a parental controlled home machine, it will be.
The convenience and potential lack of security of ‘cloud-based’ file sharing, documentation building, workflow, project management, even business process tooling is becoming a growing headache for the enterprise. Build it and he will come, and her, and it, and them.
On the one hand, the kids want unfettered access to the Internet so they can be super productive (whilst maintaining a healthy work-life balance, obvs) by downloading and using the latest start-up’s promise of spreadsheet or ERP nirvana, only to go back to PowerPoint and Excel the very next day, on the other hand, data governance goes straight out of the window, which in a world fast-approaching the new GDPR regulations could become more than a little problematic.
In the enterprise space there are a number of solutions ‘Cloud Access Security Brokers’ or CASBs (pronounced ‘casbees’), which offer varying degrees of discovery and detection. ITC is currently working with several these providers and will be integrating them into the NetSure360° managed services portfolio imminently in order to provide the visibility, control and assurance that is becoming more necessary by the day.
At home, education and awareness are the only answer. Spread the word.
If you would like to discuss Shadow IT or securing the use of cloud based services, either put your request in a Word document and share it on docs.com or alternatively use the good old-fashioned method and email us at: [email protected] or call 020 7517 3900.