![](\"https:\/\/images.idgesg.net\/images\/article\/2019\/02\/fight-shadow-100787429-large.3x2.jpg\"\/)
<\/p>\n
Credit to Author: Jonny Evans| Date: Tue, 12 Mar 2019 10:25:00 -0700<\/strong><\/p>\n Until enterprise IT truly gets to understand that its own internal systems need to be as easy to use as any iOS app and as easy to learn as an iPhone, potentially damaging data breaches will take place, threatening business confidentiality. Apple is not immune.<\/p>\n The news is that information from some of the world\u2019s biggest names in business \u2013 including Apple, Edelman and Discovery Channel \u2013 could have been accessed through Box Enterprise, which offers companies bespoke company name-based file archiving and sharing services using this URL construction:<\/p>\n https:\/\/<companyname>.app.box.com\/v\/<filename><\/em><\/p>\n The problem \u2013 according to a report on adversis.io<\/a> \u2013 is that files stored on the service were liable to brute force attacks. This means it is possible to guess file names and try to access them, apparently thousands of files (including confidential data) could be accessed in this way.<\/p>\n To be fair, Apple employees sharing documents with others using public Box Enterprise links weren\u2019t using an unauthorized application to do so \u2013 this was an officially-used internal Apple tool.<\/p>\n Neither is Box to blame. The company took rapid action to remind users with best practise security advice very swiftly after the story appeared and says it is also working to fix this problem<\/a>.<\/p>\n Box itself had previously warned<\/a> users that URLs could be guessed and advised administrators to limit sharing to \u201cpeople at your company\u201d, and to regularly check for public\/open links. It even offers tools to create non-guessable links to content.<\/p>\n All the same, the scenario shows that convenience and apathy are strong bedfellows, making the argument that good security advice isn\u2019t always good enough to ensure good security practice.<\/p>\n It\u2019s the BYOD\/Apple renaissance story all over again, of course.<\/p>\n Just as incoming employees expect to be able to use Apple kit at work<\/a>, they also expect the software solutions they use to be accessible and intuitive.<\/p>\n That\u2019s fine if your company has vetted and approved such use under company security policy, but what about the apps you haven\u2019t checked?<\/p>\n It\u2019s important to coalesce your solutions around where your people are.<\/p>\n After all, there are some applications employees just won\u2019t live without. For example, over half of deskless workers use messaging apps like WhatsApp and Messenger for work-related activity on a daily basis, but less than one-in-five<\/a> (16%) of them had informed HR of this use.<\/p>\n The same logic applies across the application matrix.<\/p>\n Mobile employee or in the office, most workers will use the solutions they find the most intuitive in preference to more complex apps \u2013 just because your enterprise offers a word processing tool that does everything doesn\u2019t mean much at all if employees have identified an alternative solution that transacts the same task faster.<\/p>\n From their point of view, their time may be your money, but their time is precious, too, and the drive to ever increasing business productivity means stressed workers will seek out and use such shortcuts.<\/p>\n iPhone-using employees know Apple\u2019s stores usually offer an \u2018App for that\u2019<\/a>.<\/p>\n Empowering strong security policy requires a realistic approach.<\/p>\n Your employees are going to use solutions that they are used to, so it makes sense for security teams to vet those in order to offer strong security advice to help make sure what happens on social media stays on social media \u2013 and that enterprise secrets never, ever make it there. The same applies to any other service.<\/p>\n It\u2019s not sufficient to dispense an authoritarian, top-down selective approach to employee choice \u2013 it\u2019s more essential, and more useful, to provide accurate risk assessment, best practise advice and to block some of the worst security offenders (including surveillance capitalist networks) from your internal networks.<\/p>\n MDM<\/a>, sandboxing content, efficient file-sharing controls, geo-location of assets and even AI protections across intranet and internal company networks<\/a> may help prevent and\/or identify poor security practise.<\/p>\n However, so long as the systems you provide are harder to use than the many highly popular publicly available alternatives, you\u2019re always going to have a shadow IT problem \u2013 and the least you can do for those services your company does support is read the small print rather than assume everything is beautiful straight out of the box.<\/p>\n Please follow me on\u00a0Twitter<\/a>, or join me in the\u00a0AppleHolic\u2019s bar & grill<\/a>\u00a0and\u00a0Apple Discussions<\/a>\u00a0groups on MeWe.<\/em><\/p>\n