The danger of Grey IT in companies

The danger of Grey IT in companies

Confined spaces have changed our work habits a lot. Telecommuting has become something more common than it was just a year ago.

With the implementation of telecommuting very quickly, new risks have appeared. Today, I suggest talking about Grey IT.

What is Grey IT?

In a company, in a classical way, the applications used are referenced in a service catalog.

For example, if your company uses Slack, the office service knows it, and will configure this application so that it works with the company’s security and confidentiality standards.

But before the app is even installed, it is first reviewed:

  • By legal: The goal here is to check the terms of use, to see if any usage could be detrimental to the company, such as the fact that the information put into the app would become public or no longer belong to your company
  • By security: The goal here is to control the compliance of the application with the security standards of your IS. It also means analyzing the code if necessary or launching analyses (malware, known CVEs, etc.).
  • Accounting: An application always has a cost, visible or not (I will come back to this point), and it is important to see if this cost is acceptable in relation to your budget, or if the need is not already covered by another application that you already have

Grey IT is precisely the fact of not following these processes often perceived as restrictive.

However, their purpose is to secure your business, but from the outside, it can be seen as heavy and slow. Typically, if we take my example of slack, I may have a need that slack does not meet today, like having a whiteboard.

So, to answer my need, I create a personal Gmail account to use Google Meet and share whiteboards with my colleagues. Don’t worry, it’s free!

If it’s free, it means you are the product

My previous example is the case I’ve often come across: I have a need, a free product meets it, I take the product.

But here’s the thing: developing professional applications cannot be improvised, and although there are obviously open source solutions hosted by these same communities, this remains on the fringe of many other applications that have the means to be more visible.

To take Gmail again, Google is not a non-profit organization. Their business is your data, your usage, your habits. It’s how Google makes money by offering you a free service.

For some it will be a “freemium” model, like Slack which has a free offer, but which quickly shows its limits in business.

That’s why you have to study the business model and the contractual part carefully before choosing an application, because it can sometimes backfire. Providing data about your business to a third party company can :

  • Be dangerous (for example in terms of GDPR data)
  • Allow this company to exploit this idea for you
  • Make this company grow on your workload

Why is this a danger?

Using non-referenced applications poses several concerns:

  • Creation of parallel IS
  • Adding security risks with “exotic” applications
  • Addition of confidentiality risks
  • Increasing the overall budget, as several entities may purchase applications with overlapping needs, but on a smaller scale, not benefiting from volume pricing. It also means potentially having multiple applications that meet the same need.

I can’t count the number of times I’ve been shown the newest trendy application and upon digging deeper I’ve realized that it’s trendy but not at all usable in the current business context.

The most obvious example, in my opinion, is the case of Zoom. This application was a huge success at the beginning of the first containment, because it met real functional needs.

However, in terms of security, it was a disaster:

  • No end-to-end encryption
  • Zoom bombing: the invasion of conferences by outsiders who can at best spoil your meeting, at worst remain discreet and do industrial espionage
  • Security concerns on user workstations that allow for access rights

We talked about this last June in the WeScale podcast [FR Link]!

Thus, following a normal company process, it would have been simply refused in many companies (besides Zoom is still banned in many companies); nevertheless, it has been used a lot, because it was exploited without following these processes in order to respond faster to a need.

To conclude

Having new needs is normal in a company. However it is important to follow well-defined processes when adding a new application to your IS.

This is to secure your business and avoid simply losing value.

Also, it is important to have an up-to-date inventory of the applications used and available to avoid adding applications when the needs are already covered. Often, the Grey IT cases I saw simply came from there.