Human error is responsible for more than half of all security breaches as of last year, making employees the biggest cyber threat of all. Shadow IT, on the other hand, is the deliberate installation of software that is not authorized by IT. The reasons for it? They vary, but generally include tools to make your tickets easier — which should already be available in a centralized company repository.
Open-source software is only an issue when vulnerabilities are present, and it is important for support to know which software is present on employee workstations to prevent the use of unauthorized applications. How? Regular audits or the complete lockdown of systems.
Unfortunately, companies that trust their employees often pay the price for this negligence at some point when deliberate installs of illegal software (which has been "cracked" to avoid official registration) take place by the user or without purchasing additional licenses. This activity can lead to software audits and deep cavity searches that jeopardize business continuity and lead to bankruptcy.
The 'It Wasn't Me' Defense of No Benefit
Thanks to the Business Software Alliance (BSA) and Software and Information Industry Alliance (SIIA), disgruntled employees seeking revenge or a quick buck can create a software compliance issue and report it in complete anonymity. The ability to earn up to one million dollars for doing so offers adequate incentive, even for the mildly burdened sysadmin.
In most cases, however, anonymity is irrelevant.
"It is natural for a target of a software audit to wonder who reported them. My clients often have reasonable suspicions and in some cases are fairly certain who the informant is," says Robert J. Scott, an attorney with Scott & Scott, LLP, a firm that specializes in defending software audit cases.
Given that many of the world's leading software companies are members of the BSA and SIIA, companies can easily point to valid reasons for failing a software audit (Shadow IT or an employee with a grudge, for example) and prevent severe penalties. But surely they'll take the credibility of the "whistleblower" into consideration?
"The BSA and SIIA audit processes are anything but fair to the targets," Scott argues. "Companies rarely keep the documentation required by auditors to prove licenses and other good evidence is routinely rejected. In addition, the auditors approach to calculating settlement demands is contrary to copyright law. Trebling of the MSRP value of the software involved and unbundling suite products like Microsoft Office and Adobe Creative Suite lead to grossly exaggerated financial demands."
Who Can You Trust?
While employees are generally an asset, sometimes those in a position of trust can work counter to company interests. Preventing shadow IT sabotage by those with full access to admin features is imperative.
"Many of my clients in software audits report that shadow IT is a major problem," Scott observes, "and that those responsible for the software deployments are often the same individuals that make reports to trade groups in hopes to gain from reward money."
When it comes to IT operations, however, Scott advises his clients to trust but confirm. "You need a third party or external business unit to verify that IT operations are compliant with software license agreements, and it is imperative to detect and discipline those responsible for violations of software policies and procedures. Routine discovery is critical to creating a culture of compliance. It is important to remember that the burden of proof in a copyright case is on the licensee to prove a license."
This picture is admittedly a grim one. Anyone with a grudge and even a passing knowledge of what you do can cause long-lasting difficulty for the company by installing software that is not legitimately licensed. This user has complete anonymity and gains approximately 30 percent of the fines levied by the organization involved. Unfair, yeah. When employees deliberately bite the hand that feeds them, how in the world is anonymity justified?
In many cases the BSA and similar organizations are seemingly the last resort of the incompetent and greedy "whistleblower" — hardworking companies are such easier targets than the real software pirates that produce the counterfeit software, in bulk, for profit. Are you prepared for a software audit with proof of purchase for all installs?