Home » Topics » Cybersecurity » The risks that lie behind the shadowy side of IT

The risks that lie behind the shadowy side of IT

Avatar photoby Nick Ismail

Technology is evolving and advancing faster than ever before. These days, the abundance of mobile and cloud-based services has empowered business users to handle their own IT needs on demand without the delay or hassle of going through appropriate internal channels.

Let’s be honest: who hasn’t said to themselves something along the lines of “My job or this task would be easier if I just had an app that could do that”?

However, installing and using technologies or services without your employer’s permission or knowledge creates a series of problems that go beyond the obvious security and system health concerns.

Legal counsel and e-Discovery practitioners should be particularly concerned with the data these apps generate that, for the most part, remains hidden and unaccounted for.

And so it begins

Until recently, within organisations that properly locked down and managed their devices and software, there were just two ways to get software: ask the IT department for it or put in a business case and hope your organisation would approve it.

Still, employees often ran into situations where company-provided software wasn’t able to perform specific tasks or wasn’t designed for productivity, and they suffered for it.

>See also: The sunnier side of Shadow IT in business

Shadow IT is a direct consequence of the dexterity of the “app generation” who have a seemingly insatiable appetite for communications and collaboration applications.

If an employer does not offer a certain solution, or if the solution provided is unsatisfactory, users can and generally will start using an alternative with a simple download—or even just by signing up to a cloud service with a few simple clicks.

This is quite a departure from the past, when such applications had to be set up on servers and workstations by a dedicated team of trained IT professionals.

If the selected app doesn’t quite provide the sought after result, users can quickly try the next solution that purports to fulfil their requirements, with little cost or inconvenience.

This is particularly worrying when considering that earlier this year, Netskope reported that organisations globally use an average of 917 cloud apps in their enterprise, of which 94.6% are “not yet ready for enterprise use.” While the EMEA number is lower — 824 cloud applications on average —the number is still staggeringly large.

Applications that the IT department doesn’t know about pose a significant risk to the organisation. That’s why most companies have a software requisition and approval process in the first place.

The security risks behind shadow IT

A main component to successful e-Discovery is understanding what data the organisation owns, where it resides, and how it is used. Without this knowledge, e-Discovery is doomed to failure or, less dramatically, incomplete results.

Shadow IT exasperates this into a huge problem when organisations receive legal or regulatory discovery requests for data.

You might feel confident in your ability to produce all the necessary documents, messages, and data in the systems you know about. This is straightforward when it comes to traditional enterprise applications such as email and financial systems, most of which have long been subject to the requirements of electronic discovery and have evolved over time to meet them.

Conversely, many newer applications are designed without any consideration for eDiscovery or getting your data out for any other reason. When you do retrieve your data, it is most likely your e-Discovery platform can only handle all the file types and data sources you expect a court or regulator will ask you to produce.

>See also: Trends and analysis on IT management for the CIO in the enterprise

But what happens when an opposing counsel or regulator asks for a specific Slack chat, the contents of a Dropbox folder, or the details of a Skype conversation? Suddenly, you’re left scrambling to produce data from services you never knew your employees were using, and are very much discoverable.

Turning shadow into light

In the early 20th century, society had to adapt to the explosion of automobile travel by developing new rules and infrastructure to support this new technology.

Today we must take a similar journey to adapt to the new reality of shadow IT. Here are some practical steps you can take to make it much more manageable.

Understand your technology landscape

Talk to employees during performance reviews, check-in meetings, and day-to-day interactions to learn more about how they use technology resources to complete their jobs.

Educate frontline managers about the risks of shadow IT and why it’s important to have these conversations with their employees.

Last, but not least, don’t forget to build these conversations into depositions; you never know what additional information stores might suddenly become relevant to include.

Familiarise yourself with new technologies

IT and legal departments should regularly research and understand new or popular technologies that employees might use for business.

People work in different ways and no app will fit every role or working style within your organisation. Offering a marketplace of fully-vetted and approved apps for employees to use can dramatically reduce the negative impact of shadow IT.

Validate e-Discovery solutions

The worst time to deal with an unexpected data source is after you’ve received a discovery request.

Instead, ensure your e-Discovery platform is nimble enough to handle new data types and requirements that might arise in future discovery requests. Otherwise, you could well find yourself at risk for sanctions and penalties for failing to produce data.

>See also: Digital business trends 2017

Shadow IT is real, as are the risks it poses to information security and legal teams, and it won’t be going away anytime soon. Overcoming these problems won’t be simple.

It will require developing a plan that considers policy as well as technology, while also taking into account the reality of popular emerging technologies and their associated issues.

Taking the time to understand the entire technology landscape with your organisation will allow you to stay ahead of the curve so that your tools and processes stack up against the reality of data, both today and what’s to come tomorrow.

 

Sourced by Angela Bunting, vice president e-Discovery, Nuix

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Related Stories

Cybersecurity

How AI will shift the security landscape in 2024

The impact of AI within cybersecurity is expected to grow significantly this year, says Alex Holland, senior malware analyst at HP

AI & Machine Learning

NCSC releases guidelines for secure AI development

New guidance from the National Cyber Security Centre (NCSC) aims to help businesses securely innovate with AI and minimise risks

Cybersecurity

3 cybersecurity compliance challenges and how to address them

Earning those trust seals can strengthen relationships with board members and prospective customers, but it sure isn’t easy.

Cybersecurity

70% of UK firms reported cyber insurance changes in past year

According to research from Databarracks, seven in 10 UK businesses have seen changes to their cyber insurance in the past 12 months, as requirements rise