Most everyone is familiar with the expression, “If it sounds too good to be true, it probably is.” Yet few are heeding this cautionary tale as thousands of businesses and millions of people continue to fall victim to fraudulent schemes every year. The Internet has only accelerated the rate in which businesses and users are subjected to malicious behavior aimed at separating them from their money or critical information. Unlike traditional cons that require the victim to offer up their credit card information (a red flag for most), today’s Internet scams are more than happy to offer you the latest vulnerability for free.
This creates a new and interesting dilemma for Enterprise IT and IT Security teams to deal with inside any organization. Most companies are used to cost and security oversight as it relates to applications and software. The concept of free receives very little attention within the organization and few, if any, policies have been created to vet or track technology that doesn’t have a price tag attached to it.
Let’s look at the process most mid-to-large sized companies will go through when deciding to purchase new software. After a business need has been established, funding must be approved, a budget established. Before a purchase order can be released, a formal request is usually made to someone in IT to recommend an appropriate technology solution. From here, IT will investigate software options, conduct research, evaluate the security and trustworthiness of vendors, and perhaps speak to analysts to pull together a short list of possibilities before deciding on a course of action. Typically, the final step is for legal to review contracts and terms of service, to ensure adherence with corporate policies. Once a purchase is made, software will be installed and signed off on from an IT expert.
None of these safeguards are in effect when dealing with the downloading of free software or applications in a business environment. And with the tightening of IT budgets and the reduction in overall IT resources, users may actually be tempted to seek out free alternatives rather than trying to navigate the procurement process of purchasing new tools. Don’t get me wrong, there are many free applications that provide immense business value, however users and IT must weigh the entire scope of what they are allowing into their environments. It’s a standard Risk vs. Reward equation that should reflect that this is a business decision, even if it is being made by an individual.
Now I understand that many, if not most, organizations have safeguards installed that only allow administrators to download software onto a corporate network. As more and more business applications are being sourced in the cloud, and BYOD devices proliferate, the notion of installing something on the corporate network is not as relevant and all-encompassing as it used to be. The authority to extend the corporate network with cloud applications and BYOD apps has in effect been delegated to users. The reality now is that most corporate networks have already been, and continue to be, extended into the cloud, whether IT sanctions it or not.
To most users within your organization, the benefits and rewards outweigh the risks of downloading free programs. For example, the ability to download and play the latest hot games for free on a tablet or smartphone carries very little risk to the individual user. The potential for data loss on these devices is minimal and for the most part, app marketplaces such as Google Play and Apple Store do an effective job of screening the apps they host. However, introducing a vulnerability that could be contained in these applications to a corporate networking environment could have devastating consequences and you’d have more than one user to worry about.
Because free often flies under the radar, IT and security teams are not actively monitoring for or thinking about these programs and frankly, can have little insight into their existence. From a user’s perspective, the fact that there is no cost to the organization and that it was downloaded onto a personal device or authorized via a web browser to integrate with a SaaS application used by the organization signals to them that there is no reason to involve IT. This assumption has the potential to create exactly the types of gaps in security that the creators of these vulnerabilities are counting on to turn free into a very costly proposition.
IT is not immune to this new challenge as many of these free tools cater to the IT admins themselves. They in turn want to get their job done, as fast as possible and for the lowest cost. However when an IT admin installs or authorizes a web app to integrate with a SaaS application the organization is using, they’re giving away super-admin access to the 3rd party (Free) App.
Should organizations be alarmed about this? No, but they should be prepared to handle this reality. I am, and will always be, an advocate for efficiency and allowing workers to use the tools that make them most productive. However, protecting the integrity of the organization and its security is always the top priority. Keeping in mind the basic premise with which we started, if it seems too good to be true it usually is. I would advise security professionals to be proactive in educating their workforce on the potential cost of free software and applications. Alert them of potential hazards and to only authorize software and applications from trusted sites and with strong ratings from users.
While a price tag shouldn’t be a litmus test for whether a program is secure, it should be an indicator of whether it deserves further investigation. Most tools available for download, free or not, are safe and work fairly close to advertised. But as we are reminded of on a daily basis, the Internet can be a dangerous place and creating vulnerabilities that can be exploited for financial gain is big business.
There is another age old adage that states, nothing in life is free. But, if organizations are willing to be invest a bit of extra vigilance and education, perhaps software and applications can become the exception to the rule.