Data Leakage: Rogue IT problems and solutions

Is rogue IT threatening to cause a major breach?

by / October 12, 2013 0


Photo: Shutterstock

Is sensitive data finding its way onto home networks? Is confidential data leaking onto unprotected mobile devices? Are unauthorized cloud services being used as a convenient and cheap way to store data? Is rogue IT threatening to cause a major breach? Is your government or business suffering because employees are deliberately violating cybersecurity policies?  

According to a recent survey from uSamp, sponsored by

·         Mobile ‘rogue IT’ costing US organizations almost $2B.

·         Over 40% of workers ignore corporate document policies by using unsanctioned cloud services to get work done;

·         1 in 2 experience tangible damage as a result.

·         41% of workers used an unsanctioned cloud service for document storage/sync within the last 6 months, despite the fact that 87% of these workers knew their company had a policies forbidding such practices.

In fact, according to the survey, technology leaders worry more about rogue IT issues than malware or viruses or overseas cyberattacks hitting their networks.

Historical perspective from around the world

 Lest you think that these numbers are totally new or completely different, a Cisco survey performed back in 2008 yielded similar concerns about data leakage. Despite the fact that cloud computing and smartphones were just emerging five years ago, employee misuse of sensitive data was already widespread.  

(Side note: in most cases, staff ignoring or violating policies is not with malicious intent, but rather indicates a desire to take short cuts or utilize tools that allow them to get their work done faster.)

Some of the findings from the 2008 Cisco report included:

·         63 percent of employees admit to using a work computer for personal use every day, and 83 percent admit to using a work computer for personal use at least sometimes.

·         70 percent of IT professionals believe the use of unauthorized programs resulted in as many as half of their companies' data loss incidents. This belief was most common in the United States (74 percent), Brazil (75 percent), and India (79 percent).

·         46 percent of employees admitted to transferring files between work and personal computers when working from home.

·         13 percent of those who work from home admit that they cannot connect to their corporate networks, so they send business email to customers, partners, and co-workers via their personal email.

Let’s be clear – I am not talking about implementing a secure Bring Your Own Device (BYOD) program with Mobile Device Management (MDM). Neither am I condemning secure cloud offerings or hybrid or personal cloud services that offer our customers new and exciting capabilities.

These surveys and articles are pointing out deliberate attempts to violate corporate or government policies and go around or not use such programs.

What’s to be done?

So what can be done to help? Here are a few possible solutions which are offered from this Forbes article on the same subject:

Marty Hodgett, CIO of Symantec suggests that companies set up a sandbox environment for new mobile technologies so that IT can evaluate them according to employee requirements. If the requirements and mobile device pass the evaluation, then allow them to be used in the workplace.

Bob Egan of Forbes warns IT departments to, “Treat mobile devices and resident applications as hostile – secure the data when at rest and in transit.” Egan also recognizes that employees, “feel a lot of anxiety to do things faster and better because of mobile. Without the mobile access to the right tools, employees feel relegated to second class company citizens.”

Guru Michael Krigsman of the Wall Street Journal and ZDNet suggests, “IT must create policies that balance security with flexibility. The right policies encourage workers to use devices and software that adhere to security standards while providing the right level of flexibility to the employee. Balanced approaches are the solution to increasing security awareness and ensuring the buy-in from employees.

The Forbes article also offers excellent advice from several other industry experts.

Final Thoughts and Upcoming NASCIO Conference Session  

 Combatting what many technology leaders call “rogue IT” is difficult. The term itself can even be misleading, because one person’s rogue IT is some customer’s easy to use technology solution. Indeed, the very point of many new technology offerings is to streamline processes and enable new end-user tasks that were difficult to perform before. Facebook, Twitter, Google+ and other social media tools are great examples of helpful new online services that people like.

The challenge is to stop the data leakage in the process, which means we must offer workable solutions that our customers want to use. Our service offerings must be easy enough to use that our clients will not need to “go rogue.”

For one practical example of potential solutions: I will be moderating a breakout session on cloud computing at the NASCIO 2013 Annual Conference this week in Philadelphia called:

The Working Cloud – Overcoming Obstacles. This session will cover examples and cases where Cloud has been deployed and is operating successfully. There will be a review of the key obstacles (contracting, data, security, backup/recovery, cultural change) to using Cloud in the states with a panel discussion of how Cloud has been made to work and how obstacles have been overcome.  The first part will cover some facts around the growth and use of Cloud, while the panel discussion will discuss specific examples of implementations and use.

The panelists will be:
- Steve Nichols, Chief Technology Officer, State of Georgia
- Elayne Starkey, Chief Security Officer, State of Delaware
- Karen Robinson, Chief Information Officer, State of Texas
- Ed Valencia, Deputy Commissioner and Chief Technology Officer, State of Minnesota

Please plan to join us on Monday, if you'll be at the NASCIO conference. We will be discussing this data leakage topic and more.

Most important, take another look at your overall approach to stop data leakage. The adoption of your IT offerings in the cloud and with mobile devices will say a lot about your probablity of success.

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso