Clinton Investigation Shines Uncomfortable Light on Shadow IT Issues
Putting all politics aside, Hillary Clinton’s use of a private email server to transfer sensitive documents has brought up two important issues that business and IT leaders need to address. The first is to establish the degree to which end users are to be held accountable for circumventing an IT environment. The second thornier issue is to determine how organizations can eliminate IT issues that result in end users feeling the need to circumvent those systems in the first place.
There are very few employees who have never made use of a “shadow IT” service to access or share some a company document or file. Those documents may not involve state secrets, but they often contain sensitive customer information or even corporate intellectual property.
In the last decade, organizations have either subtly encouraged or made light of the use of these shadow IT services because many of them are simply easier to use than the systems put in place by the internal IT group.
During the investigation of Hillary Clinton’s use of a private email server, it became apparent that she is not the first Secretary of State to circumvent the IT services provided by the State Department. Obviously, she and those other Secretaries of State should have known better. The Secretary of State is a high-profile target in a world where cyberespionage is now a consistent everyday threat. Then again, cyberespionage is so pervasive, it’s already been shown that hackers in Russia had already penetrated the IT systems at the State Department. So even if Hillary Clinton had confined her use of email to the internal IT system deployed by the State Department, it’s not at all clear her communications would have been any more secure.
This brings us to the larger issue. There are hundreds of thousands of legacy email and file transfer systems in use today that suffer the twin sins of being both insecure and difficult to use. For the most part these systems were built at a time when end users didn’t have ready access to simpler to use consumer services. As for securing them, the collective naiveté concerning the usage of passwords and security best practices at the time they were first deployed still persists to this day.
[clickToTweet tweet="Hundreds of thousands of legacy email systems are both insecure and difficult to use. #infosec #shadowit @mvizard" quote="Hundreds of thousands of legacy email and file transfer systems in use today are both insecure and difficult to use. "]
It’s clear that a much bigger discussion about IT security is long overdue. It’s unfortunate that it requires a presidential campaign to get it started. But if it wasn’t Hillary Clinton, it would only be a matter of time before some other high-profile individual ran afoul of the same shadow IT trap.
As noted by FBI director James Comey, the degree of legal culpability frequently comes down to intent. In the eyes of the law, deliberately sharing sensitive information versus merely exposing it in a way that makes it easier to be compromised are not one in the same thing. Organizations where usage of shadow IT services is high need to have a much more profound discussion about not only why those services are being used in the first place, but also what they really intend to do about it when the letter of the corporate policy in place is already widely being ignored. After they determine that, the inevitable new system that gets put in place then needs to not only address usability, but also security. But striking a balance between security and usability is never easy. Nevertheless, when it comes to deterring shadow IT usage, getting it right will be the ultimate difference between success and failure.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.
Connect with Mike on LinkedIn, Twitter, and Google+.