Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

App risk management advice

Espion is calling on organizations not to overlook the risks posed by workers increasingly packing their own clouds and apps into their virtual briefcase without consulting their IT department.

The growth of ‘shadow IT products’(non-approved SaaS applications), has skyrocketed in recent years, with the latest research revealing that 81 percent of enterprise employees[1] admit to using unauthorised applications. The scale of this was also highlighted at Espion’s recent 101 Series on App Security with attendees agreeing it is a growing concern in their organization.

Without doubt apps and cloud solutions such as Basecamp, Salesforce, Dropbox and Google Apps are great for productivity and flexible working. However, organizations need to be highly cognisant of the potential downside these time-saving, skill-boosting, collaboration-enhancing, process-streamlining (and more) apps and software pose to corporate information.

Espion’s app security expert, Michael Romain, explains: “From loss of confidential data, disclosure of credentials, privacy violations and breach of compliance, organizations need to consider what impact inadequate app security could have on their data protection obligations. This is because insecure mobile apps can leak device information thus exposing it to third parties or can store or transmit sensitive information unencrypted, or in another insecure manner, making a compromise more likely.

It is paramount that CIOs take heed of the growth in consumer market technologies within the enterprise and recognise this trend will continue to evolve. Organizations should plan and address the organizational governance and security aspects surrounding devices, apps and software.”

According to a recent report from Arxan Technologies, 97 percent of the top 100 paid Android apps and 87 percent of the top 100 paid Apple iOS apps have been hacked. This report also highlights evidence of widespread hacking of financial services, healthcare/medical and retail/merchant apps, largely driven by hacks of Android apps.
When it comes to protecting your data’s confidentiality, integrity and availability, your resources as well as your reputation here are ten things Espion recommends that organizations consider:

1. Monitor your network to keep track of what shadow IT is lurking in your systems
By continuously scanning and monitoring your network you will be able to identify shadow IT and keep track of what’s going on.
To identify the cloud services being used outside of IT’s scope you can process log data from your firewalls, proxies, SIEMS and mobile device management products.

2. Quantify the risks by knowing who has access to your corporate data.
A key concern should be corporate data access and data confidentiality issues. By identifying and understanding what data you are processing, transmitting and storing you can classify data into categories such as confidential, internal organizational use only, public etc. This will help you ensure the right levels of controls are used to protect the data.

3. What’s the policy?
Consider having an ‘acceptable use policy’ that states what apps, software and devices can be used in the workplace, what part of the network they are allowed to access and what security procedures and protocols they must adhere to.

4. Make use of ‘intelligence’ resources that are available to find out about these apps
Currently there are exciting new trailblazing technologies that help enterprises determine the ‘trust’ level of apps with all-in-one app risk management services and global databases of analysed public and private apps. Apps can then be blocked based on your risk appetite and enterprise policies.

5. Communicate the risks to stakeholders
Explain to colleagues that when they deploy shadow IT the configuring and managing process (applying patches, authentication and access controls as well as security testing) falls outside the organization. That makes organizations and their reputation vulnerable. It is also important to be aware that using external (non-enterprise) versions of online file-stores, for example, may result in loss of access control over data, given that applications that do not remain directly in the control of centralised IT functions are often overlooked as part of the ‘leavers / termination’ processes.

Enforce the use of approved applications only: those which meet enterprise standards. And when necessary restrict network access to workers who fail to comply.

6. Fear free apps
While workers may think they are saving money by opting for free apps, these technologies generate revenue by sharing user data with third parties like ad networks which impacts on overall app security and privacy. If you are not paying for the app you and your company data are the product.

7. Look for solutions to secure these apps and clouds
When it comes to controlling the extended enterprise, simply and securely, find a solution that can streamline wide-scale deployments by securing or restricting apps automatically.

8. Don’t overlook licencing agreements
Shadow software and apps challenge software asset management compliance. What would your organization do if unapproved software spurred a compliance / regulatory audit with the risk of fines?

9. Work with employees to tackle this issue
Aim to work with employees to tackle this issue and have a clear dialogue with business stakeholders about their business challenges and requirements. IT should ultimately be enabling the business to work better and smarter at a known level of risk which is accepted by the business.

Remember to build awareness around the hazards of shadow IT into your company-wide security awareness and training.

10. Perform security testing regularly
Evaluate device security and usage of apps periodically.

[1] Gigaom Research and CipherCloud report November 2014


•Date: 9th December 2014 • World •Type: Article • Topic: Enterprise risk management

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here