Blog

This company scanned its network and was shocked

This company scanned its network and was shocked

Tuesday 20th February 2018
Nigel

Late last year, we consulted with a company that was concerned about GDPR compliance. The IT department's big worry, was that users might be storing customer or supplier data on cloud services, for instance CRMs or data storage sites, that were not GDPR compliant.

They were right. When we deployed Ampliphae's technology on their network, we found that staff were doing exactly that. Some of the marketing staff had signed up for a popular CRM and marketing automation dashboard that promises it will be GDPR compliant some time soon, but isn't yet. And some of the product managers were using a mass emailer that definitely isn't GDPR compliant.

In both instances the company had used Ampliphae's technology to, potentially, save itself both embarrassment and financial loss. We were able to help employees migrate to approved alternative SaaS services. And because the network continues to be protected by Ampliphae, the company will spot any future non-compliant usage before it becomes a problem.

So far, so good. But that's not where the story ends.

What's this IP address?

Towards the end of the job, we noticed some strange traffic coming from the mobile sales team. These guys were often on the road and don't generally use a VPN, otherwise we would have spotted it on the first pass.

All but three of the sales laptops were regularly connecting to an unidentified external IP address in Eastern Europe. If I ever wanted to see an alarmed IT director, that was the day for it. We pulled all the laptops in for inspection.

It turned out that the IP address was the updates server of a little-known freemium anti-virus application — one that definitely had not been validated and authorised by IT and compliance. In a lethal combination, the sales laptops were both slow and weren't particularly well locked down.

One of the sales guys had decided that his AV software was slowing down his PC, so he'd uninstalled it and substituted a free and light-weight alternative. He liked it. So, he recommended it to all his colleagues.

To do its job, anti-virus must have complete access to Windows at the lowest possible level. Essentially, these guys had given an unknown actor the keys to their PC — and from there, to the company network.

What's on your network?

In the end, it could have been much worse. The anti-virus, though of unknown quality, proved on investigation to be legitimate. The IT department uninstalled it, re-installed the approved anti-virus and committed to upgrading the sales laptops as soon as possible. Everyone was happy.

But the outcome need not have been so benign. There are plenty of spoof anti-virus programs on the market that look and, superficially, act like the real thing. Often, companies we visit find there are four or five non-authorised AV programmes on the company network.

That's before you start looking for the many other unauthorised types of software and SaaS client — there are at least 15,000 B2B SaaS applications currently in the wild — that we often find installed on client networks.

GDPR compliance is currently a hot topic. And, make no mistake, it's an important one. No one can easily afford those fines. But in many ways, it's only the tip of the iceberg. The risks associated with unmanaged SaaS usage range from potentially ruinous unplanned licence fees to serious security breaches.

It's time business got serious about what is or could be on our networks.