Man working on laptop at home showing the security risks of Shadow IT in remote working

Recovering from the Shadow IT Pandemic

Throughout this pandemic, millions of people continue to face the challenge of working from home under the significant stress of managing their family’s safety, supplies, and sanity. As if this were not enough, many among them are new to the remote work experience, leaving them to scramble to find the tools they need to remain productive at a more than social distance from their coworkers, patients or customers. A frenzy like we’ve seen in recent weeks leads me to bet that security risk may not have been top of mind for decision makers.

If ever there was a time for hasty decision-making, this would seem to be it. Regulations on personal protective equipment are even being relaxed to cope with supply problems. On the tech side, the exceptional need for remote patient care in the near term prompted the Department of Health and Human Services (HHS) to waive penalties against medical providers who use remote communication solutions that do not comply with HIPAA privacy and security regulations.

Of course, those who were more prepared fared better than others and didn’t need to reach for non-compliant solutions. Now is not the time, however, to speak of Sun Tzu and remember that the battlefield is not the time to plan your battlefield strategy. There will be time for that later. Now is the time to lick our wounds (after washing them for 30 seconds with soap and water), assess where we are, and get back on solid footing.

The rush to communication and teleconferencing solutions during the COVID-19 pandemic has intensified another ongoing global pandemic called “shadow IT.”  This exists when a company’s employees find their own solutions to information technology problems, often beyond management’s reach (e.g., on employee personal devices) and often in violation of company security policy. Given what’s happened in the past few weeks, I think it’s fair to say this problem just got a lot worse.

Whether you’re a manager or employee, you did what you had to do to get the job done. You got your team communicating, teleconferencing and being productive again. Now you need to stop and think if you’ve made the right choices from a security perspective. You know what you’re doing, how sensitive your information is and how much risk you’re willing to take. But, perhaps you’re not a security expert and could use a little help assessing the security worthiness of the tools you’re using.

Here are two simple tips you can use to assess if communication/teleconferencing product is suitable for your security needs:

Tip #1. Just because it’s encrypted doesn’t mean it’s private. There are different kinds of encryption and different ways to use it in a product. Basically, there’s client-to-server encryption and end-to-end encryption. Client-to-server encryption protects your data as it travels from you to the provider’s servers. Commonly used forms of client-to-server encryption, including HTTPS and TLS, were designed mainly to secure things like the web browser session between you and your bank, not user communications, and had the hacker at the coffee shop in mind. If the product you use relies on client-to-server encryption, your data is decrypted the moment it reaches the provider’s systems, which means it’s vulnerable to anything that can go wrong on the provider side including server hacks, system misconfigurations, coding errors, rogue employees, and mistakes. End-to-end encryption, on the other hand, protects data as it travels between you and the person with whom you are speaking. Commonly used forms of end-to-end encryption were specifically designed to secure user to user communications and had myriad threats in mind. If the product you use relies on end-to-end encryption, your data is encrypted at all times within the provider’s systems in a way that the provider cannot access it, which means it’s safe from the hacker at the coffee shop and provider side threats as well.

Tip #2. If anyone can join, it’s not a private call. Many teleconferencing products provide access to calls via web links. The problem with that is anyone who has the link can join the call. Even if pins or passcodes are shared along with the links, the service has no way to ensure that the users who join were actually invited to the call. This kind of loose authentication scheme can of course lead to unauthorized access and eavesdropping, but even if that’s not a concern, it can also be exploited to deliver malware via phony links or disrupt your calls via the injection of harassing or objectionable content.

There are many great solutions out there, but they’re not all created equal from a security perspective. If you’re looking to make a solid layman’s choice, you can do well with just that advice. Pandemic or no, our information risks remain. Security threats don’t respect timeouts for national emergencies. Someday soon the emergency will be over, the regulatory requirements will return and priorities will shift back to the longer term. Don’t forget to shift with them.