Apple’s Box security scare shows the risk of shadow IT
Credit to Author: Jonny Evans| Date: Tue, 12 Mar 2019 10:25:00 -0700
Until enterprise IT truly gets to understand that its own internal systems need to be as easy to use as any iOS app and as easy to learn as an iPhone, potentially damaging data breaches will take place, threatening business confidentiality. Apple is not immune.
The news is that information from some of the world’s biggest names in business – including Apple, Edelman and Discovery Channel – could have been accessed through Box Enterprise, which offers companies bespoke company name-based file archiving and sharing services using this URL construction:
https://<companyname>.app.box.com/v/<filename>
The problem – according to a report on adversis.io – is that files stored on the service were liable to brute force attacks. This means it is possible to guess file names and try to access them, apparently thousands of files (including confidential data) could be accessed in this way.
To be fair, Apple employees sharing documents with others using public Box Enterprise links weren’t using an unauthorized application to do so – this was an officially-used internal Apple tool.
Neither is Box to blame. The company took rapid action to remind users with best practise security advice very swiftly after the story appeared and says it is also working to fix this problem.
Box itself had previously warned users that URLs could be guessed and advised administrators to limit sharing to “people at your company”, and to regularly check for public/open links. It even offers tools to create non-guessable links to content.
All the same, the scenario shows that convenience and apathy are strong bedfellows, making the argument that good security advice isn’t always good enough to ensure good security practice.
It’s the BYOD/Apple renaissance story all over again, of course.
Just as incoming employees expect to be able to use Apple kit at work, they also expect the software solutions they use to be accessible and intuitive.
That’s fine if your company has vetted and approved such use under company security policy, but what about the apps you haven’t checked?
It’s important to coalesce your solutions around where your people are.
After all, there are some applications employees just won’t live without. For example, over half of deskless workers use messaging apps like WhatsApp and Messenger for work-related activity on a daily basis, but less than one-in-five (16%) of them had informed HR of this use.
The same logic applies across the application matrix.
Mobile employee or in the office, most workers will use the solutions they find the most intuitive in preference to more complex apps – just because your enterprise offers a word processing tool that does everything doesn’t mean much at all if employees have identified an alternative solution that transacts the same task faster.
From their point of view, their time may be your money, but their time is precious, too, and the drive to ever increasing business productivity means stressed workers will seek out and use such shortcuts.
iPhone-using employees know Apple’s stores usually offer an ‘App for that’.
Empowering strong security policy requires a realistic approach.
Your employees are going to use solutions that they are used to, so it makes sense for security teams to vet those in order to offer strong security advice to help make sure what happens on social media stays on social media – and that enterprise secrets never, ever make it there. The same applies to any other service.
It’s not sufficient to dispense an authoritarian, top-down selective approach to employee choice – it’s more essential, and more useful, to provide accurate risk assessment, best practise advice and to block some of the worst security offenders (including surveillance capitalist networks) from your internal networks.
MDM, sandboxing content, efficient file-sharing controls, geo-location of assets and even AI protections across intranet and internal company networks may help prevent and/or identify poor security practise.
However, so long as the systems you provide are harder to use than the many highly popular publicly available alternatives, you’re always going to have a shadow IT problem – and the least you can do for those services your company does support is read the small print rather than assume everything is beautiful straight out of the box.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.