Data Security Risks Lurking in Shadow IT 17:56, September 12, 2016

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Our Resources

Data Security Risks Lurking in Shadow IT

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

We have previously written about ransomware, password reuse, and the DNC security hacks, but this post is about a common risk that lurks in the shadows, aptly called “Shadow IT.” Contrary to what its name implies, Shadow IT is not the malicious creation of hackers. Instead, it is personal communication and content sharing software that employees download to be more productive and effective in doing their jobs. It takes the form of unauthorized tools such as USB drives, a personal cloud service, instant messaging, or other personal IT tools that conveniently allow employees to work at different sites to create and share knowledge.

Not only is Shadow IT not caused by careless or disgruntled workers, but a study found that 90% of workers believe data protection is important for their employer. Curiously, the same study found that:

(*)   Nearly half of workers (45%) use passwords to protect their personal files but only a third (35%) do the same for work.

(*)   68% claimed they dispose of and shred unwanted personal documents, compared to just two in five (40%) in the office.

(*)   About half of workers (54%) claimed they immediately delete suspicious-looking emails received at work.

Causes of Shadow IT

What causes this disconnect between personal and professional data security habits? Research has found that when “organizations do not provide suitable tools to communicate efficiently,” many employees use collaborative software and mobile devices that are not authorized or supported by their company’s IT department. In addition, because of a sense of urgency when they are trying to meet a deadline or move a project forward, they often overlook or minimize the risk of a data breach. This happens when employees “judge some knowledge as relevant to co-workers, and neither they nor their co-workers are in the same place (geographical dispersion).”

In a global economy, the situations that create geographical dispersion are numerous, including:  incompatible schedules among co-workers, facilities in different time zones, frequent collaboration among co-located individuals, working remotely, and travel outside the workplace. And it’s not just a few rogue employees; it’s an issue that’s growing exponentially.

Cisco surveyed their large enterprise customers and found that, while IT departments estimate their companies are using an average of 51 cloud services, actually 730 cloud services were being used. At the rate the number of cloud services used is growing, by the end of 2016 there will be 20 times — or more than 1,000 — external cloud services used per company. Citing data from a Frost & Sullivan examination of Shadow IT, Microsoft shared the alarming statistic that 80 percent of employees use unsanctioned web applications for work.

Striking a Balance Between Flexibility and Security

For information security teams tasked with building systems and protocols that prevent data breaches, one expert offers this advice, “companies need to strike a careful balance between management and flexibility” by:

(*)   Embracing Shadow IT since “new applications can revolutionize business processes and allow employees to work smarter and more efficiently.”

(*)   Gathering information about unsanctioned IT practices in your organization to inform a workable solution. For example, identify types of data that do not present unacceptable risks on unsupported applications and which data should remain on secure authorized applications.

(*)   Developing information usage guidelines that can help your organization define enforceable boundaries and educating employees about the risks of certain applications in terms of data security and regulatory compliance.

Taking these steps can help organizations find ways to maximize the benefits of using Shadow IT to improve workflows, facilitate internal and external communication, and preserve overall security. Employee awareness is critical, as insider negligence is the leading cause of data loss or theft. Effective data security training can raise employees’ awareness of the risks of using unauthorized applications and failing to follow their organization’s IT procedures. For more information, check out LawRoom’s white paper on data security and the human firewall.

You might also be interested in...

  • Don’t “WannaCry”? Take Charge & Raise Cybersecurity AwarenessJune 1, 2017 Don’t “WannaCry”? Take Charge & Raise Cybersecurity Awareness If even the National Security Administration (N.S.A.) can have its secrets stolen and exploited, what about private companies that have profit (not data security and intelligence) as their prime directive? According to the New York Times, cybercriminals turned stolen N.S.A. hacking tools […] Posted in data security
  • Unauthorized Sharing undermines Data SecurityApril 27, 2017 Unauthorized Sharing undermines Data Security Data breaches don’t just happen when some malicious outsider orchestrates a massive hack or absconds with company secrets. They also happen when ordinary workers don’t see the harm of improperly sharing confidential information with one another or of innocent but unsafe practices. […] Posted in data security
Karen Peterson
Karen Peterson is a legal editor at EverFi. Prior to joining the editorial staff, she spent several years in private legal practice. Now she applies her legal skills to research and writing on corporate compliance and higher education law. She earned a BA from UC Berkeley and a JD from the University of San Francisco Law School.

Leave a Reply

Leave a Reply

White Paper
Data Security training
for employees

  |   Download White Paper


Compliance Course Catalog
  |   Download Catalog