Data protection and the negative implications of shadow IT

By: Polina Nikolova | pnikolova@ddaftech.com

The coronavirus pandemic has forced many businesses to send employees home without much, if any, lead time to set up company-approved technology services for a secure remote work environment. States have cautiously eased stay-at-home orders over the last few months. Many businesses finally see light at the end of the tunnel as they re-open and reinstate services and production.

Nevertheless, as we start to emerge from the initial chaos and the rush to work from home, there will be a shadow cast behind—scattered remnants of unmanaged technology software, subscriptions, and hardware. The remnants may involve client or customer files and company data disseminated through different file sharing platforms, home computers, or unsupported (and unsecured) devices. Also, team members may have individual plans for messaging and video conferencing solutions, subscriptions and trials to Dropbox, WebEx, Zoom, Microsoft Teams, SharePoint, Google Hangouts, Google Docs—the list goes on.

How did we get here?

While some companies were well-positioned to accommodate the needs of a remote workforce, many businesses were unprepared and struggled to provide the technology and tools needed for a seamless transition. Employees took matters into their own hands, looking for new ways to perform their daily work, signing up for a trial of Zoom, using their personal Dropbox account to transfer files, or storing documents on a home computer or other personal device.

This leaves IT administrators scrambling to identify what tools or cloud platforms employees are using and how files are being stored and shared in their effort to regain control of data governance and security.

Shadow IT refers to the use of unapproved technology services or devices without the knowledge or approval of the company’s IT department.

This practice presents significant risks to a company’s information security: increasing the possibility of data leaks, breach of client confidentiality agreements, and data compromise or theft. It bypasses and disregards company security controls for data protection and usually violates the organization’s Information Security Policy and Employee Acceptable Use Policy.

Safeguarding client or customer data and protecting company resources is a shared responsibility.

A company must ensure that effective information security policies and processes are in place. IT professionals must implement the tools, policies, and controls needed to safeguard company information. And, employees must follow the organization’s policies to safeguard client or customer information and company resources.

As a team member or leader, reach out to your IT administrator to make sure you and your team have the tools needed to enable you to work securely and efficiently, using approved technology and services, governed by your IT department.