My good friend Russ Svendsen recently sent me a link to a rather timely article in the International Herald Tribune (IHT) that ties in nicely with my recent post on shadow IT and also my post on People and IT Security. The IHT article "Firms fret as office e-mail jumps security walls" talks about corporate email users forwarding company email to free web-based email programs such as Google's gmail or Yahoo! Mail. The story is also posted at TechNewsWorld.
People like to use these systems because it lets them by-pass the hassle of dealing with security provisions such as multiple passwords, the corporate email system only being accessible through company PCs, or special security systems. Simply put, using these services is easier and quicker than the approved corporate systems. Use of these methods can quickly spread as users pass along tips to each other or the shadow IT guys add it to their bag of tricks to make things simpler.
The formal IT folks are understandably worried about this due to the increased possibility of viruses and spyware. But it isn't only the IT folks that have some concerns. Circumventing the corporate email systems raises issues of data control and integrity which gets the lawyers and Human Resources folks attention. Having email stored where IT can not locate it can raise serious legal issues if it involves subject matter caught up in a lawsuit. Likewise there are certain legal requirement regarding data privacy such as patient data being stored in this manner. As the IHT story reports "The Web mail services may also be prone to glitches. Last month, Google fixed a bug that caused the disappearance of "some or all" of the stored mail of around 60 users. A week later, it acknowledged a security hole that could have exposed its users' address books to Internet attackers." Try telling your CEO that Google lost your company's data.
Obviously we have a significant security issue resulting from the shadow IT effect of using outside emails system. The challenge is how do we address this in our IT security program? The 3 goals of an IT security program are:
- Tight security
- User convenience
- Low cost
Along with this goes an old saying - that when implementing a security system you can pick any two of the above but have to be willing to sacrifice the third. This is not a pleasant scenario. So what do we do?
This is where the "people factor" I mentioned in People and IT Security comes into play. Making security awareness an important part of your security program can help. It won't solve the pick 2 and sacrifice 1 conundrum but it can help minimize the problem. It is naive to think security awareness effort will eliminate the issue entirely but with some effort you may be able to contain the issue. Without awareness user are only concerned with the convenience factor and hence their choice is easy. Some would argue that users are concerned with security too but typically it is only when security becomes an issue and not until then. A good awareness program can help them appreciate all 3 concerns and help create a workable balance.
What are your thoughts on this?
One logical question that this discussion raises is - What constitutes a good security awareness program? I'd love to hear your thoughts on this and perhaps we can have a future post on that topic.
If this topic was of interest, you might also like these: