The business risk of Shadow IT

Recent high-profile security breaches highlight the dangers of using email as an unsecure communications channel with individuals outside an organisation.

The most recent security incident at Commonwealth Bank is a timely reminder that exposure, while not always a breach, can lead to media coverage, perceived damage to reputation and embarrassment. Every agency needs to be thinking about the security of the channels staff use to communicate personally identifiable information (PII).

CBA made headlines again in early June when it was reported that staff sent more than 650 internal emails containing PII relating to 10,000 customers to the wrong addresses.

Email is a ubiquitous communication channel, but it isn’t secure, and it is prone to accidental exposures. Recent privacy law changes should be forcing a rethink about whether email is of an appropriate risk level for accreditation to carry PII. The same risk assessments also need to be rethought against digital channels (such as USB, DVD, FTP) and paper. These channels also typically lack the security, confidentiality and data sovereignty that should be a baseline requirement. They also do not provide critical data about who provided what to whom.

While a solution to this problem ultimately means increased security related costs, agency delegates must not ignore that the status quo can result in unwanted exposure. For the public sector to digitally engage with its stakeholders, digital platforms must meet the users’ need to collaborate while also enforcing agency security and information governance practice. The alternate is unsecured but authorised channels, or shadow services that represent a complete loss of control but are efficient and easy.

As Prime Minister Malcolm Turnbull has stated:

“Maintaining data security is of vital importance for everybody, whether it’s the private sector or governments, and if there is a serious data breach or loss the people affected should be advised so they can take steps to protect themselves”

National Blood Authority Australia implements secure collaboration

Working on behalf of the Commonwealth, six state and two territory governments, secure collaboration is critical to the National Blood Authority (NBA) being able to ensure a safe and secure blood supply to all Australians. But with sensitive health information being shared, the NBA has to ensure strict information governance.

NBA searched for a collaboration platform that was secure, locally hosted and importantly, ensured complete auditability and traceability of information before implementing Objective Connect.

Download the NBA case study to understand the value that a secure collaboration platform has delivered to the authority – including a cost saving of over $40,000 per annum and significant time costs for staff by digitising processes.

“Objective Connect is good for me. I can share committee papers, securely and simply, but still have an audit trail,” says Peter O’Halloran, executive director and CIO, National Blood Authority.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at  

Sign up to the Government News newsletter