In this article, Carmen Nunez, ELMO’s Senior Information Security Manager, shares her expert insights into cybersecurity, the challenges and risks of shadow IT, and how to mitigate employee behaviour to ensure your organisation is cyber-resilient.
Safeguarding the organisation with cyber security standards
ELMO’s latest Employment Sentiment Index (ESI) report found that 51% of employees are concerned about the theft of their personal information at work. Even more concerning, the survey of 1,000 Australian workers found that just under a third of employees worry about falling victim to a phishing attack at work.
Carmen highlights the necessity of staying up to date with the latest cybersecurity practices, including achieving ISO 27001 certification – the internationally recognised standard in information security. The ISO 27001 standard has existed in its current form since 2005 with only two revisions, one in 2013 and one in 2022. Its robust security controls are a testament to its longevity.
“The ISO 27001 standard makes you look at security from an overarching perspective, its security controls are designed to be applied to all parts of an organisation” she says.
ISO 27001:2022 has increased its focus on threat intelligence, data leakage prevention, the use of Cloud services, business continuity and information deletion. Carmen says these new security controls are helping companies to safely navigate the evolving threat landscape.
Organisations don’t just have to worry about direct cyberattacks but also about employee behaviour and possible vulnerabilities introduced by supplier tools.
ELMO’s holistic approach to cyber security emphasises a comprehensive approach to maintaining an understanding of all the supplier tools used in the organisation.
“Because this is where the biggest risk can enter an organisation,” says Carmen, “especially in the age of shadow IT.”
The dangers of shadow IT
Shadow IT – that is, the use of information technology systems, devices, software, apps, and services without explicit IT department knowledge or approval – is a major challenge for organisations trying to mitigate the risk of cyberattacks. ELMO’s ESI report found that a quarter (26%) of employees admit to using apps, software or devices that haven’t been approved by their company. Not only does shadow IT increase the risk of attack, it makes it impossible for a business to take effective action in the event of an attack.
Processes and standard operating procedures for onboarding new suppliers and reviewing existing suppliers, are integral to maintaining the organisation’s cyber security posture because they outline expectations and explain how to prevent risks from becoming realities.
Cyberattacks can originate anywhere in the organisation which is why having procedures for implementing new technology is so important.
Carmen points out that it’s common for those procedures to be ignored even if they exist.
“This is where the functional areas of the business tend to bypass IT protocols as they want a new tool, buy it and start using it, or download a free trial and begin uploading sensitive personal information or company IP,” she says.
In many cases, these acts may stem from a place of proactive initiative or practicality, but they open critical cyber gaps in a company’s defences. While the employees may be trying to solve one problem, they’re often creating a larger one, especially if they are unaware of the security risks their actions could precipitate.
How to mitigate shadow IT risks
So, how do you avoid shadow IT creeping into your workplace?
Employee education is a great place to start and understanding the ‘why’ helps to drive this home.
ELMO’s ESI report revealed that more than half of businesses don’t provide training courses or education to staff about shadow IT, which highlights a quick and easy win for many organisations. Educating your employees about the risks associated with using or purchasing unauthorised tools and software at work is a great place to start.
But even with diligent employee education, shadow IT can still be an issue. In these cases, a multifaceted approach may be more beneficial in protecting your organisation, including:
- Incorporating monitoring systems that can alert and identify new unauthorised tools in use.
- Only allowing the use of company laptops. These have the right security controls and are regularly updated with the latest anti-virus and anti-malware protections.
- Using a BYOD Wifi for personal devices, thereby segregating and protecting your network.
- Using tools such as Trend Micro to detect unusual IP addresses.
- Once and unauthorised tool is detected, working with the employee to remove it safely.
Carmen says it’s important to understand that the threat of shadow IT doesn’t stop with your employees.
“You may go through all of the correct processes of selection and security reviews, yet you could still have a supplier-initiated data breach,” she says, adding that this is something ISO 27001:2022 seeks to address.
“One of the requirements of the new ISO standard is information deletion,” she says. “You must know all of the information that you maintain in your business, you must know where it is stored, you must have a business purpose for keeping it, and have a deletion process for information you don’t need to retain.”
That means understanding all the supplier tools you use, what information they hold and making sure their retention policies meet the requirements of your business. It’s much easier to deal with and contain the impact of a supplier data breach to your business when you know exactly where the tool is, what it’s used for, what it connects to, and what information it holds.
The constant threat of phishing
While shadow IT is an important threat vector, phishing also poses a threat to organisational systems. Phishing is a technique used by cyber criminals to try to gain personal information such as passwords and/or bank details by sending you an email or an SMS from what appears to be a legitimate business or person. When phishing occurs on work computers or systems, it leaves the entire organisation vulnerable.
About a third (31%) of employees surveyed for the ESI report say they are unsure how to protect themselves against a phishing attack. The need to improve and provide comprehensive cyber education is clear.
“There’s a shared responsibility when you’re using tools,” says Carmen. “From ELMO’s perspective, we are ISO 27001:2022 certified and we have robust security controls. However, our customers use our HR & Payroll platform and give their users access. It is their responsibility to make sure that those employees have the level of access they require for the duration of their employment and when they leave an organisation, their access is terminated.”
Phishing is something that needs constant attention because of how common and pervasive it is. At ELMO, cybersecurity training and prevention is baked into our learning and development schedule.
“One of the courses we offer to our Learning customers is Social Engineering and Phishing Awareness. All ELMO employees complete this course, and in addition we do monthly phishing tests on a random sample of our employees,” Carmen says.
“We also have a security awareness Slack channel where our employees can share any phishing scams they’ve seen, to warn others against them.
Closing the door on cyber risks
Carmen’s insights remind us that the challenges we are facing are significant and ongoing.
“From a cybersecurity perspective, external threats are becoming more prevalent,” she says. “You have to know all possible points of entry into your organisation and maintain the appropriate controls, this is why Shadow IT can open a door you didn’t even know existed.”
Cyber threats will continue to evolve, and our approaches to managing and mitigating these risks must also evolve. Awareness and education programs, along with adopting the right technology and guidelines, form a solid foundation for a robust cybersecurity framework.
With the correct strategic approach and secure tools like those offered by ELMO, organisations can protect themselves, reduce risky IT behaviour among their employees, and turn those challenges into opportunities to improve and strengthen their security.