"Shadow apps" put corporate IT at risk

Today, employees communicate with their customers via WhatsApp or use apps such as Dropbox or Google Drive to share and edit documents. However, the largely uncontrolled and unauthorized use of this mobile shadow IT increases the attack surface - especially when employees use their devices for work and private purposes, for example via BYOD (bring your own device) or COPE (corporate-owned, personally enabled) models. Often unsecured, they allow attackers into the company "through the back door" and, in the worst case, enable access to company data. Legal regulations and compliance requirements are also circumvented by the uncontrolled use of various apps.

The safety specialist Virtual Solution shows the five biggest risks posed by "shadow apps":

• Unencrypted emails: Professional e-mails sent via a private smartphone offer attackers valuable insights into the company, from the subject and mail text to attachments of internal documents. The problem usually lies in inadequate security: there is neither end-to-end encryption of the mails nor are the security precautions in public WLANs sufficient to prevent data from being intercepted. No company wants company secrets to be read and forwarded in unencrypted e-mails.
• Data-hungry apps: In addition to targeted attacks by criminals, there are also "legal ways of information leakage". Many apps have embedded functions for data exfiltration, i.e., the extraction of data. In the case of WhatsApp, for example, this is access to the contact list, which may also contain business contacts. This represents a violation of the requirements of the GDPR, which stipulates that personal data may not simply be processed and forwarded without consent. As a consequence, the company no longer has full control over the data and therefore cannot document where personal data is stored and cannot delete it. The GDPR also requires a strict separation of private and business data. If companies do not comply with this, they can be held accountable with hefty fines. It must be clear to those responsible that WhatsApp is not permitted for business use.
• Storage of sensitive documents: If employees store documents with sensitive company data on their mobile devices, the risk of this information falling into the wrong hands in the event of theft is high. In the worst case, anyone can view the data. Moreover, if a device is lost, damaged or stolen, any data stored on it is gone - unless real-time backups are made. A data loss of this kind damages a company's reputation immensely.
• Phishing attacks in the browser: Criminals are now so cunning that they "smuggle" deceptively similar user interfaces into the browser. The unsuspecting user then logs on to a fake site with his or her access data. Fraudsters can use the data obtained in this way for an extortion attempt, for example, or publish it on the Internet.
• Terminated Employees: Employees who leave in a dispute often feel they have been treated unfairly and may want to take revenge on their ex-employer. If their private smartphone contains company data, they have plenty of ammunition for revenge actions that can cause enormous damage to the company, both financially and in terms of reputation.

Great carelessness

The carelessness of employees when using smartphones and tablets is often due to a lack of knowledge. This makes training all the more important. It is just as important to involve individual departments in the selection of tools. This is the only way to ensure that useful apps are provided and that security standards are adhered to. One solution that is easy to use and implement is a container app. It creates an encrypted area on the mobile device to which other apps have no access.

Four tips

"My tip to companies: First, control IT usage. Second, sensitize and train your employees. Third, find out the reasons for mobile shadow IT. Fourth: Allow instead of forbid - offer attractive alternatives. At the end of the day, there is only one solution to the problem of shadow IT; the IT department must provide employees with the applications they need for their work and which are easy to use," explains Günter Junk, CEO of Virtual Solution AG.

Press release Virtual Solution