We would like to keep you up to date with the latest news from Digitalisation World by sending you push notifications.
Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Digitalisation World is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Digitalisation World Video magazine contains the latest Zoom interviews with experts in the industry.
Hands up anyone who has ever simply ticked the box on the online licence or accepting the Ts & Cs of a new product you simply want to get working with as soon as possible? That must cover most people, at least once in their lives. Yet a recent case has made it clear that those Ts & Cs can contain some significant insecurity issues that might mean a product is left well alone.
The case in question is that of ex-Microsoft staffer, Alex Kibkalo, who is currently facing Federal charges alleging he stole trade secrets from the company. In an effort to gather evidence, Microsoft accessed the Hotmail account of an anonymous US blogger in connection with that effort.
Last week Microsoft, which owns the Hotmail email service, acknowledged that it read the anonymous blogger's emails after it suspected one of its employees was leaking information, saying that it had to take ‘extraordinary actions in this case’.
This has, not surprisingly, caused consternation and surprise in many quarters, not least because most users would assume the company’s Ts & Cs would specifically prohibit such an activity. But according to Skyhigh Networks, a cloud visibility company which evaluates and ranks the security credentials of services like Hotmail, such activity is far more common across the board than most users might suspect.
Charlie Howe, director, EMEA at Skyhigh Networks, believes that this is a classic example of the hidden terms and conditions that exist within many cloud providers’ services.
“Though described as an ‘extraordinary action’, similar incidents of cloud service providers accessing our confidential data are far too common,” he suggested. “The problem is, this is a technically legal activity that we all agree to when we sign up to certain cloud services – whether knowingly or not. For instance, I would guess that most people don’t actually read the full Terms and Conditions before using a new application, and they would probably be surprised by what they are actually agreeing to when they click the ‘accept’ button on certain cloud services.
“A bigger problem arises when these cloud services are used in a business capacity, posing a significant risk in terms of data ownership and confidentiality. Modern CIOs are struggling with a dilemma, as they are faced with requests from employees wanting to use agile and flexible cloud services for work purposes, while trying to manage the associated risk, security and privacy concerns.
“However, in spite of this, there is a growing trend for employees to take matters into their own hands, downloading and using a variety of user-friendly, intuitive applications which often fly under the radar of CIOs, CISOs and IT teams. This concept of Shadow IT is putting organisations at risk of cyber-attack and data loss, as organisations often lack the visibility and control required to manage risk, ensure cloud governance and confidently enable cloud services.
“With such a diverse, disparate workforce, today’s organisations really need to have the visibility to measure and manage unauthorised cloud usage across their networks – but without the right tools, this can be time consuming and inaccurate. By employing services that assess and evaluate the enterprise readiness of each individual cloud service – effectively ranking them in terms of privacy and risk – IT teams can strike a balance between keeping employees happy and preserving the integrity of sensitive data within the organisation. By taking time to truly understand the conditions to which they are agreeing, organisations can rest in the knowledge that only enterprise ready cloud services are being used by employees.”
It also involves both businesses, and employees themselves, taking a measure of proactive responsibility, especially when situations that they might consider remote possibilities are in fact likely to be far more probable in practice.
This can include defining a number of complementary steps, such as a mix of properly applied policies across the organisation; a process through which employees can nominate and demonstrate their suggested applications for proper assessment by the business; and a common sense approach by staff to using new applications that have not come from their employer’s list of approved products.
Even for small businesses, therefore, such policies must include a clear indication that running shadow IT applications is an offence carrying significant penalties, including dismissal. There should also be a clearly defined and well-circulated `black list’ of applications and tools where use of them for work purposes can be subject to disciplinary actions.
But it must also include policies that make it clear to both the IT department and staff that the addition of new applications is a `good thing’ and to be encouraged, and that suggestions from staff are to be welcomed. What is more, evaluation of such suggestions are to be conducted openly and fairly, rather than on a `not thought of here first’ basis.
Finally, staff themselves must learn to be more self-aware of what applications they are considering using and their history. Some have reached near-legendary status for their lack of security and similar areas of overall `flakeyness’. Here, the idea of using them for any work processes should self-evidently be a considered a bad move by any employee.
