Tag Archives: Shadow IT

Consider Hiring an ‘IT Whisperer’

Insurers come in all shapes and sizes, from Tier 1 monolithic operations to the smallest captives and self-insured groups. One thing has been made clear to me in the 30-plus years I’ve served this industry: Regardless of size, many insurers do not fully understand their technology requirements. I’m not saying this because I want to sell them something they don’t need; I’m saying it because I’ve sat with hundreds of carriers over the years who suffer at the hands of less direct experience or the vision required to recognize the need for improved processes and the technology solutions to support them.

This is especially true of small to mid-sized carriers, where budgets are fixed and IT staff is often stretched, leaving little room for ad hoc solutions, much less vision. Here “shadow IT” is often the norm (due to labor restraints, employees wear many hats, prompting those in positions outside of IT to work on catching and solving IT problems). Shadow IT can represent a real and present challenge to insurers of all sizes, because it often fosters a band-aid approach: Well-meaning but inexperienced employees make minor temporary improvements to address major long-term problems. Once the band-aid falls off, the damage is done, the technology solution provider (vendor) is called in and the fix that’s required is often immediate and expensive.

See also: How Technology Drives a ‘New Normal’  

This dilemma sometimes makes the vendor look like the bad guy, especially if the vendor is opportunistic and leverages the insurer’s misfortune to “fix” the problem with solutions the carrier might not really need. Further, it’s difficult to help remedy problems that the insurer is in denial about. Sometimes, a simple technology needs-assessment helps uncover where the problems originate. But remember that determining technical requirements begins with evaluating business requirements, which require a look at existing processes that are supported by technical support that is lacking in the first place. You can see why firefighting becomes the preferred mode—let’s just fix it so we can keep working.

If we back up the discussion a bit, we see that the insurer’s real, primary need is for education. The vendor that is interested in becoming a trusted partner has an obligation to sit with the insurer and work together on confirming the business goals, then applying usage analysis and system requirements. In this way, the vendor becomes something akin to the “Dog Whisperer,” the seasoned canine expert on cable TV who tames otherwise unruly pets by noting that “it’s not the dog’s fault—it’s his owners who need to better understand his requirements.”

When the technology solution provider connects with the insurer in a way that exposes the essence of the problem and provides the information and steps necessary to help solve it for the long term, it removes the need for crisis-mode operations. In most cases, this means a big change to the insurer’s existing processes, but the trusted partner doesn’t walk away from this challenge, either, because in almost every case those new processes free up the employee’s time to focus on providing more value downstream.

See also: How Technology Breaks Down Silos  

Taking the “Dog Whisperer” approach, we have learned from our customers’ use cases and implementation histories and bring the experience to each implementation analysis. We sit down with carriers to help them better understand their objectives and requirements, where the technology and process roadblocks are and what the potential is for that important long-term fix.

Use of Cloud Apps Creates Data Leakage

A large U.S. cable television company recently sought to better understand how its employees were using cloud apps to stay productive. Management had an inkling that workers routinely used about a dozen or more cloud file sharing and collaboration apps.

Ed note_CipherCloud_Willy Leichter

An assessment by CipherCloud showed the employees actually were using 204 cloud services that posed a security risk: 78 cloud storage apps and 126 collaboration apps, many of which included file-sharing functions.

Emerging risk: A major concern for the cable company was that sensitive information about customers and employees could leak unnoticed beyond its network perimeter.

Free cloud file storage makes it convenient to share data quickly and widely. The company learned that sensitive files had been moved into folders accessible to people who should not have had access to the information.

Wider implications: Like many organizations, the cable company routinely stores customer transactions data as well as employee healthcare data covered by HIPAA privacy rules. The rising use of free Web apps by employees has created many more opportunities for data leakage and could lead to sanctions and fines – or, worse, an embarrassing, expensive data breach.

The cable company set up sanctioned accounts with a popular cloud storage service-Box-for employees to use. It also has begun examining other steps it can take to impose tighter controls around sensitive company records.

Excerpts are from ThirdCertainty’s interview with Willy Leichter of CipherCloud. (Answers edited for length and clarity.)

3C: Can you outline how the rising use of cloud apps in the workplace is creating security issues?

Leichter: A typical process is one person sends you something from a Dropbox account, and suddenly you become a Dropbox user. Or, often, departments will say, “OK, we’re going to use Dropbox or Hightail for this particular project,” and it kind of grows department by department. It grows virally.

The challenge is the very nature of the whole file-sharing world. It’s like Swiss cheese. It’s designed to be very easy to share and to open up public links and to let another person in.

That’s where this cable company approached us. They had about a dozen different things they knew about and wanted to standardize.

3C: You found a lot more than a dozen cloud apps in use.

Leichter: We found well over 1,000 cloud apps, what we call shadow IT apps, that they were using. We have about 20 different categories of such apps; it could be software development tools, or it could be social tools. In one category, file-sharing tools, we found more than 120 apps. This one category is probably the most actionable category because file sharing involves sending people documents.

3C: How did this discovery help the cable company?

Leichter: They were trying to do two things. They were trying to standardize on two or three different file-sharing services and use monitoring tools on them. And they also wanted to shut down the worst offenders, which you can do easily enough.

3C: In general, what kinds of malicious or worrisome activity are you seeing in shadow IT?

Leichter: It’s kind of a spectrum. Officially sanctioned apps are being scanned in real time, using tools we and others make. That’s kind of a new world. We can give you all kinds of detail about who’s using all these apps. Then there’s the other 90% of the apps in shadow IT.

Anomalies can be where someone is sending huge amounts of files to some strange apps. Or someone is downloading stuff they shouldn’t be at two in the morning. Or it could be multiple people using the same account from different IP addresses. Someone is logging in from San Jose and then an hour later they’re logging in from Beijing. You can spot a lot of these and take steps to shut them down.

3C: What else surprised the cable company?

Leichter: One of the things they learned is why people were doing this. For the most part, it was because the company wouldn’t pay for them to use an account. So they were account hopping from one freebie to the next. It was because people just did not want to pay for stuff.

So now the company is trying to steer people to use better practices through outreach and education. And it also is buying them accounts.