Microsoft case shows users must watch those Ts & Cs

The fact that Microsoft read the Hotmail emails of a US blogger to find evidence against an ex-staffer accused in Federal Court of stealing trade secrets has highlighted the security weaknesses of such shadow IT applications and the need for businesses to get professional about their use

  • 10 years ago Posted in

Hands up anyone who has ever simply ticked the box on the online licence or accepting the Ts & Cs of a new product you simply want to get working with as soon as possible? That must cover most people, at least once in their lives. Yet a recent case has made it clear that those Ts & Cs can contain some significant insecurity issues that might mean a product is left well alone.

The case in question is that of ex-Microsoft staffer, Alex Kibkalo, who is currently facing Federal charges alleging he stole trade secrets from the company. In an effort to gather evidence, Microsoft accessed the Hotmail account of an anonymous US blogger in connection with that effort.

Last week Microsoft, which owns the Hotmail email service, acknowledged that it read the anonymous blogger's emails after it suspected one of its employees was leaking information, saying that it had to take ‘extraordinary actions in this case’.

This has, not surprisingly, caused consternation and surprise in many quarters, not least because most users would assume the company’s Ts & Cs would specifically prohibit such an activity. But according to Skyhigh Networks, a cloud visibility company which evaluates and ranks the security credentials of services like Hotmail, such activity is far more common across the board than most users might suspect.

Charlie Howe, director, EMEA at Skyhigh Networks, believes that this is a classic example of the hidden terms and conditions that exist within many cloud providers’ services.  

“Though described as an ‘extraordinary action’, similar incidents of cloud service providers accessing our confidential data are far too common,” he suggested. “The problem is, this is a technically legal activity that we all agree to when we sign up to certain cloud services – whether knowingly or not. For instance, I would guess that most people don’t actually read the full Terms and Conditions before using a new application, and they would probably be surprised by what they are actually agreeing to when they click the ‘accept’ button on certain cloud services.

 “A bigger problem arises when these cloud services are used in a business capacity, posing a significant risk in terms of data ownership and confidentiality. Modern CIOs are struggling with a dilemma, as they are faced with requests from employees wanting to use agile and flexible cloud services for work purposes, while trying to manage the associated risk, security and privacy concerns.

“However, in spite of this, there is a growing trend for employees to take matters into their own hands, downloading and using a variety of user-friendly, intuitive applications which often fly under the radar of CIOs, CISOs and IT teams. This concept of Shadow IT is putting organisations at risk of cyber-attack and data loss, as organisations often lack the visibility and control required to manage risk, ensure cloud governance and confidently enable cloud services.

“With such a diverse, disparate workforce, today’s organisations really need to have the visibility to measure and manage unauthorised cloud usage across their networks – but without the right tools, this can be time consuming and inaccurate. By employing services that assess and evaluate the enterprise readiness of each individual cloud service – effectively ranking them in terms of privacy and risk – IT teams can strike a balance between keeping employees happy and preserving the integrity of sensitive data within the organisation. By taking time to truly understand the conditions to which they are agreeing, organisations can rest in the knowledge that only enterprise ready cloud services are being used by employees.”

It also involves both businesses, and employees themselves, taking a measure of proactive responsibility, especially when situations that they might consider remote possibilities are in fact likely to be far more probable in practice.

This can include defining a number of complementary steps, such as a mix of properly applied policies across the organisation; a process through which employees can nominate and demonstrate their suggested applications for proper assessment by the business; and a common sense approach by staff to using new applications that have not come from their employer’s list of approved products.

Even for small businesses, therefore, such policies must include a clear indication that running shadow IT applications is an offence carrying significant penalties, including dismissal. There should also be a clearly defined and well-circulated `black list’ of applications and tools where use of them for work purposes can be subject to disciplinary actions.

But it must also include policies that make it clear to both the IT department and staff that the addition of new applications is a `good thing’ and to be encouraged, and that suggestions from staff are to be welcomed. What is more, evaluation of such suggestions are to be conducted openly and fairly, rather than on a `not thought of here first’ basis.

Finally, staff themselves must learn to be more self-aware of what applications they are considering using and their history. Some have reached near-legendary status for their lack of security and similar areas of overall `flakeyness’. Here, the idea of using them for any work processes should self-evidently be a considered a bad move by any employee.

Talent and training partner, mthree, which supports major global tech, banking, and business...
On average, only 48% of digital initiatives meet or exceed business outcome targets, according to...
GPUaaS provides customers on-demand access to powerful accelerated resources for AI, machine...
TMF Group, a leading provider of critical administrative services for global businesses, turned to...
Strengthening its cloud credentials as part of its mission to champion the broader UK tech sector...
Nearly all UK IT managers surveyed (98%) state cloud investment is an organisational priority for...
LetsGetChecked is a global healthcare solutions company that provides the tools to manage health...
Node4 to the rescue.