It’s time to redefine shadow IT

Among the findings of the Committee of Inquiry (COI) that looked into the massive SingHealth data breach was the startling fact that a non-IT staff was tasked with managing the server which was exploited by the perpetrators to steal the personal data of 1.5 million people.

Taking the witness stand yesterday was Tan Aik Chin, a senior manager responsible for the cancer service registry at the National Cancer Centre, who admitted that he had limited understanding of IT security and had inherited the server from someone else.

And because the server was not directly managed by SingHealth’s designated IT supplier, Integrated Health Information Systems (IHiS), there was no visibility into its security posture, and whether or not it was patched regularly in accordance with existing security policies.

The server had in fact remained unpatched for 14 months, exposing software vulnerabilities that perpetrators latched on to install malware and facilitate their data exfiltration efforts.

This is an example of how shadow IT can pose a serious threat to IT security – not by way of having employees use their own software and computers to perform their jobs in the classic definition, but rather the lack of visibility and control over all IT assets operating in the shadows.

Perhaps it is time to rethink the current definition of shadow IT, which limits organisational thinking to unsanctioned systems and software used by employees for work. After all, the security risk posed by a corporate-owned system that operates in the shadows is just as high as that of personal devices.

Instead, the focus should be on improving the visibility over every system, device and application that touches a network, whether they are employee-owned or corporate-sanctioned ones.