What is shadow IT?

It’s basically where staff or volunteers or contractors in an organisation use a technology that the organisation has no control over. No sight of and is unaware of. Here are three examples:

Used for risky Internet access

One would be where staff might use their mobile phones as an internet hotspot to be able to access the internet unrestricted, through their phone rather than through maybe a tightly controlled firewall on their local network. The risk here is that they may be able to access sites that may bring malware into the network and effectively they’re bridging the insecure internet to your local network.

USB memory sticks – burn them with fire

There’s always the risks as well associated with the use of USB memory sticks, that people are picking up at conferences and things like that. With no idea where they’re coming from. What’s on them. So there’s always been a risk around those.

Cloud Storage – it’s only as secure as you can make it

Finally if Staff were to use personal cloud storage services like a Dropbox or a Google drive or an Amazon S3 bucket, the organisation if they are unaware that, they don’t know how well secured those platforms are. They don’t know whether the data could be potentially breached from those cloud storage services. So there is a risk there.

What’s the real problem that Shadow IT creates?

And with all these technologies, the main risk here is in fact that they’re probably going to give you a breach of the GDPR in that you’re not in control of your IT security.

So that’s it for this week. Let’s be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We can conduct an audit on your infrastructure and look for signs of Shadow IT. When we find it, we can provide guidance on how to remediate it to everyone’s satisfaction.

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

Contact us for more information at info@L2CyberSecurity.com.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom 038 Shadow IT appeared first on L2 Cyber Security Solutions Ltd..

We were chatting over a coffee about the various mistakes people make when securing their own private infrastructure. Things like not updating software, having a poorly configured firewall and not testing their backups to name but three. Then my friend came out with a doozy.

We store all our stuff up in the cloud and leave Amazon worry about the security side of things.

So I asked what “cloud security” had they signed up for, which he couldn’t answer directly, but presumed it was all part and parcel of the package they were paying for. I asked who configured their security and he stared at me like I was a madman.

I already said … Amazon will look after the cloud security. They have world class security solutions.

I agreed that Amazon do indeed have the best security available (as do other cloud providers like Microsoft). However assuming that Amazon would “look after the security” was a risky presumption to make.

It all depends on what you sign up for. Amazon/Microsoft will provide you with cloud storage and other services. They will also provide you with the tools necessary to secure your cloud storage. Unless you are engaging them for a full service package, where you completely outsource to them and it is pretty pricey, you are likely to be responsible for your cloud security.

In the last week I have read the following stories:

• Viacom (who own Paramount Pictures) had a publicly accessible Amazon S3 bucket containing a lot of very juicy technical details of their infrastructure set-up. It contained a server manifest along with passwords.
• Verizon Wireless, the mobile arm of the US Telecomms giant, had a publicly accessible Amazon S3 bucket containing some apparently confidential documents which had user IDs and passwords in them, among other items.
• SVR Tracking, a US based Vehicle Tracking service provider, had a … you guessed it … publicly accessible Amazon S3 bucket containing over half-a-million records of vehicles, user IDs, passwords, as well as where the tracking device is hidden in the vehicle.

So just these three examples from the last week show that people are putting stuff “into-the-cloud” in these insecure Amazon S3 buckets, presuming that Amazon will look after the security for them.

Please don’t make the same mistake yourself.

If you have any sort of Cloud storage in use at your business, please take a few minutes now to review it’s security set-up and ensure it is not publicly accessible.

Let’s be careful out there.

The post Cloud Security is your responsibility. appeared first on L2 Cyber Security Solutions Ltd..