Data Security Risks Lurking in Shadow IT
We have previously written about ransomware, password reuse, and the DNC security hacks, but this post is about a common risk that lurks in the shadows, aptly called “Shadow IT.” Contrary to what its name implies, Shadow IT is not the malicious creation of hackers. Instead, it is personal communication and content sharing software that employees download to be more productive and effective in doing their jobs. It takes the form of unauthorized tools such as USB drives, a personal cloud service, instant messaging, or other personal IT tools that conveniently allow employees to work at different sites to create and share knowledge.
Not only is Shadow IT not caused by careless or disgruntled workers, but a study found that 90% of workers believe data protection is important for their employer. Curiously, the same study found that:
(*) Nearly half of workers (45%) use passwords to protect their personal files but only a third (35%) do the same for work.
(*) 68% claimed they dispose of and shred unwanted personal documents, compared to just two in five (40%) in the office.
(*) About half of workers (54%) claimed they immediately delete suspicious-looking emails received at work.
Causes of Shadow IT
What causes this disconnect between personal and professional data security habits? Research has found that when “organizations do not provide suitable tools to communicate efficiently,” many employees use collaborative software and mobile devices that are not authorized or supported by their company’s IT department. In addition, because of a sense of urgency when they are trying to meet a deadline or move a project forward, they often overlook or minimize the risk of a data breach. This happens when employees “judge some knowledge as relevant to co-workers, and neither they nor their co-workers are in the same place (geographical dispersion).”
In a global economy, the situations that create geographical dispersion are numerous, including: incompatible schedules among co-workers, facilities in different time zones, frequent collaboration among co-located individuals, working remotely, and travel outside the workplace. And it’s not just a few rogue employees; it’s an issue that’s growing exponentially.
Cisco surveyed their large enterprise customers and found that, while IT departments estimate their companies are using an average of 51 cloud services, actually 730 cloud services were being used. At the rate the number of cloud services used is growing, by the end of 2016 there will be 20 times — or more than 1,000 — external cloud services used per company. Citing data from a Frost & Sullivan examination of Shadow IT, Microsoft shared the alarming statistic that 80 percent of employees use unsanctioned web applications for work.
Striking a Balance Between Flexibility and Security
For information security teams tasked with building systems and protocols that prevent data breaches, one expert offers this advice, “companies need to strike a careful balance between management and flexibility” by:
(*) Embracing Shadow IT since “new applications can revolutionize business processes and allow employees to work smarter and more efficiently.”
(*) Gathering information about unsanctioned IT practices in your organization to inform a workable solution. For example, identify types of data that do not present unacceptable risks on unsupported applications and which data should remain on secure authorized applications.
(*) Developing information usage guidelines that can help your organization define enforceable boundaries and educating employees about the risks of certain applications in terms of data security and regulatory compliance.
Taking these steps can help organizations find ways to maximize the benefits of using Shadow IT to improve workflows, facilitate internal and external communication, and preserve overall security. Employee awareness is critical, as insider negligence is the leading cause of data loss or theft. Effective data security training can raise employees’ awareness of the risks of using unauthorized applications and failing to follow their organization’s IT procedures. For more information, check out LawRoom’s white paper on data security and the human firewall.