Apple’s Box security scare shows the risk of shadow IT

Until enterprise IT truly understands that its own internal systems need to be as easy to use as any iOS app and as easy to learn as an iPhone, potentially damaging data breaches will take place, threatening business confidentiality. Apple is not immune.

Apple and the human interface

The news is that information from some of the world’s biggest names in business – including Apple, Edelman and Discovery Channel – could have been accessed through Box Enterprise, which offers companies bespoke company name-based file archiving and sharing services using this URL construction:

https://.app.box.com/v/

The problem – according to a report on adversis.io – is that files stored on the service were liable to brute-force attacks. Certainly, this isn’t every user – most don’t use sharing links of this kind and the links used in Box (public) are not affected. However, for those that are, it is possible to guess file names and try to access them, apparently thousands of files (including confidential data) could be accessed in this way.

However, they needed to be files stored on the service that users chose to share with a public permission that were constructed in this way (see below).

To be fair, Apple employees who shared documents with others using public Box Enterprise links didn’t use an unauthorized application to do so – this was an officially used internal Apple tool.

Neither is Box to blame. The company took rapid action to remind users with best practice security advice very swiftly after the story appeared and says it is also working to fix this problem.

Box had previously warned users that URLs could be guessed and advised administrators to limit sharing to “people at your company” and to regularly check for public/open links. It even offers tools to create non-guessable links to content.

All the same, the scenario shows that convenience and apathy are strong bedfellows, making the argument that good security advice isn’t always good enough to ensure good security practice.

In the shadow IT

It’s the BYOD/Apple renaissance story all over again, of course.

Just as incoming employees expect to be able to use Apple kit at work, they also expect the software solutions they use to be accessible and intuitive.

That’s fine if your company has vetted and approved such use under company security policy, but what about the apps you haven’t checked?

It’s important to coalesce your solutions around where your people are.

After all, there are some applications employees just won’t live without. For example, over half of deskless workers use messaging apps like WhatsApp and Messenger for work-related activity on a daily basis, but less than one in five (16%) of them had informed HR of this use.

The same logic applies across the application matrix.

Mobile employee or in the office, most workers will use the solutions they find the most intuitive in preference to more complex apps – just because your enterprise offers a word processing tool that does everything doesn’t mean much at all if employees have identified an alternative solution that transacts the same task faster.

From their point of view, their time may be your money, but their time is precious, too, and the drive to ever increasing business productivity means stressed workers will seek out and use such shortcuts.

iPhone-using employees know Apple’s stores usually offer an “App for that.”

Be where they are

Empowering strong security policy requires a realistic approach.

Your employees are going to use solutions that they are used to, so it makes sense for security teams to vet those so they can offer strong security advice to ensure what happens on social media stays on social media – and that enterprise secrets never, ever make it there. The same applies to any other service.

It’s not sufficient to dispense an authoritarian, top-down selective approach to employee choice – it’s more essential, and more useful, to provide accurate risk assessment, best practice advice and to block some of the worst security offenders (including surveillance capitalist networks) from your internal networks.

MDM, sandboxing content, efficient file-sharing controls, geolocation of assets and even AI protections across intranet and internal company networks may help prevent and/or identify poor security practices.

However, so long as the systems you provide are harder to use than the many highly popular publicly available alternatives, you’re always going to have a shadow IT problem – and the least you can do for those services your company does support is read the small print rather than assuming everything is beautiful straight out of the box.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.