Rajiv Gupta, right, the chief at Skyhigh, which recently started monitoring personal use of apps.
SAN FRANCISCO — As is the case with many busy people, Delyn Simons’s life has become an open phone app of commingled corporate and personal information.
“I’ve got Dropbox, Box, YouSendIt, Teambox, Google Drive,” says Ms. Simons, a 42-year-old executive, naming just five of the many services on her iPhone to store memos, spreadsheets, customer information and soccer schedules.
She and her colleagues at Mashery, a 170-employee company that helps other companies build even more apps, also share corporate data on GroupMe, Evernote, Skype and Google Hangouts. “From the standpoint of corporate I.T.,” she says, “my team is a problem.”
And how. “My peers are killing me,” says John Oberon, Mashery’s information technology chief, who is supposed to keep track of company data. While the company’s most confidential information is encrypted and available only to authorized executives, he said, “there’s only so much you can do to stop people from forwarding an e-mail or storing a document off a phone.”
Chinese hackers are one problem. But so are employees who put company information online with their smartphones and tablets.
Once the data leaves the corporate network, protecting it becomes much harder. Searching for the name of almost any large company, plus the word “confidential,” yields supposedly secret documents that someone has taken from the company network and published.
Netflix, the streaming video service, recently found employees using 496 smartphone apps, primarily for data storage, communications and collaboration. Cisco Systems, which powers much of the Internet with computer networking gear, found several hundred apps, as well as services for shopping and personal scheduling, touching its own network via employees.
“People are going to bring their own devices, their own data, their own software applications, even their own work groups,” drawing off friends and contractors at other companies, said Bill Burns, the director of information technology infrastructure at Netflix. “If you try and implant software that limits an employee’s capabilities, you’re adding a layer of complexity.”
Almost no service is invulnerable. In 2011, Chinese hackers obtained access to hundreds of United States government accounts on Google’s Gmail. Last July, Dropbox, one of the most widely used storage services, reported a loss of data from a large number of customers. Without special instructions, customer sales information in the online service of Salesforce.com can be moved to private accounts at Box. On Saturday, Evernote said user names, e-mail address and encrypted passwords had been stolen in an attack, requiring the passwords of more than 50 million accounts to be reset.
In 2011, Juniper Networks found more than 28,000 samples of mobile malware, mostly for capturing and transferring information like passwords. In January this year, Florida’s Juvenile Justice Department reported that 114,538 youth and employee records had disappeared when a mobile storage device with no password was stolen. The state will pay for a year of credit monitoring for everyone whose data was lost.
Last September, a customer notified Rite Aid that he could obtain other customers’ names, addresses and prescription records from the company’s mobile app. (Rite Aid says the problem has been fixed and that it is not aware of any data loss.)
Even without proof of compromised accounts, such losses can cost a company both money and reputation. According to the Securities and Exchange Commission, unauthorized disclosures of confidential information, whether from unsecured devices, leaky apps or poor cloud security, must be announced publicly if the information could affect a company’s stock price.
Some apps onto which employees may move company information, like Facebook and Amazon, are well known. Others, like Remember the Milk, used for completing tasks, or CloudElephant, a data backup service, are news even to some of the experts in I.T. Skyhigh Networks, which recently started monitoring personal use of apps, has counted more than 1,200 services used in corporate networks from personal devices.
Skyhigh signs up for each service, along with 1,000 others that have not yet touched a corporate network, and researches them for security issues, like whether people can share data anonymously, or how easy it is to get inside the system and obtain another customer’s data. The company then tunes a customer’s corporate network to allow services to have different degrees of access to information.
“We have to be careful how we inspect for security vulnerabilities, since we don’t want to get arrested ourselves,” says Rajiv Gupta, the chief executive at Skyhigh. “What makes an iPhone interesting and scary is what happens in the cloud, and how I can upload things with one device and then download them to another from someplace else.”
The problem of data leakage is as old as someone taking a carbon copy home on the weekend.
What is different today is how people can take data with a finger swipe, and how little they know about whether a service has malware or how much it can see of what is going on elsewhere in a phone. Companies do not want to stand in the way of “life splicing,” as the intermingling of home and work tasks is known, because it mostly plays in a company’s favor. They just want more security.
Besides Skyhigh’s catalogs and controls over different apps, a system called Websense allows companies to ensure that office access to LinkedIn is only for research on people and companies, not for job applications.
Companies also know little about what ad hoc corporate computing really costs, as groups buy their own mobile work productivity apps or rent cloud computing and data storage from the likes of Amazon Web Services.
“The popular term now when people bypass the in-house organization is ‘shadow I.T.,’ ” says Sunny Gupta, chief executive of Apptio, which helps companies calculate their total corporate I.T. spending. If the spending is high enough, companies look for volume discounts on their unofficial computing.
In a 2012 survey of information technology managers by PricewaterhouseCoopers, 47 percent of respondents said that at least half of corporate I.T. spending was now shadow I.T.
.