How to Guard Against Governance Risks Due to Shadow IT and Remote Work
These three principles can help you establish better security and governance in your enterprise.
- By Mike Safar
- July 2, 2020
As organizations have transitioned to remote work and virtual teams, many business and IT leaders have discovered their enterprises are unprepared for the governance risks that come with this shift. They realize that remote, dispersed workers have a greater need for flexible information storage, distribution, and collaboration tools and are adept at finding ad hoc solutions if sanctioned technology isn't readily available. However, ad hoc alternatives very often defy legal and regulatory requirements.
Shadow IT evolves in organizations when workers, teams, or entire departments begin to improvise their work processes through unauthorized services or practices that operate outside the oversight and control of IT. It may involve something as seemingly harmless as storing work documents on a personal laptop, or it could pose a catastrophic risk by transferring confidential intellectual property or regulated private data via an unsecured personal file sharing service.
Shadow IT emerges when employee behavior begins to sidestep information governance processes and controls, and as a result, security, compliance, and privacy risks snowball. A recent study by Ponemon Institute, for example, estimates the average cost of a single data breach at US $3.92M.
Although productivity is critical, the use of personal cloud file services, ad hoc team network file shares, and personal email for file transfer undermine governance and represent material risk from a discovery, privacy, and noncompliance perspective. Without equipping your employees with productivity tools that address governance requirements, they pursue novel techniques without understanding the risks. Transferring documents via email, Dropbox, or Google Drive may seem ingenious; in reality, users may not understand the dangers posed by insufficient authentication or auditing or the direct violation of data privacy requirements. What's more, unmanaged deletion of work product may violate legal hold requirements.
To successfully tame shadow IT, organizations must first understand what motivates these behaviors:
Within a division or country business unit, users adopt solutions that allow them to work within the local processes, pressures, and regulations unique to their business. Business units tend to develop ad hoc, custom methods that are opaque to IT and information governance, require specialized resources and may lack even the most basic security, retention, auditing, and legal hold capabilities. The solution is often to embed information governance naturally through automation and to show them the benefits they can achieve through better governance, such as more rapid access to data. Ultimately, the goal is to collaborate on how to improve productivity without slowing down or stifling innovation in the business unit.
Small workgroups or departments are resistant to new applications and processes that are unfamiliar or that offer advantages that aren't evident. For example, it is common that departmental network shares that have existed for many years are difficult to replace with proper content services that include governance controls and long-term compliance. If users resist the new governance program that IT introduces because it is unfamiliar or seems cumbersome, they will revert to using local file directories or the old network shares.
Remote workers and power users mistakenly assume the data they work with is theirs to create, modify, or approve in order to be productive. These introduce the most risk through their highly individualized shadow IT. This is especially true of remote workers, who see VPNs as slow, requiring extra steps and checks that take time and don't improve productivity. As a result, there may be a copy of important corporate records or regulated personally identifiable information (PII) circulating on a flash drive, an unmanaged home computer, or worse -- in employees' personal cloud storage, unmonitored by the IT department and susceptible to data leaks.
Understanding Governance Risks
Whether prompted by divisions, managers, or individuals, shadow IT poses an incalculable risk to organizations. A single misplaced or stolen file could result in an embarrassing incident and hefty fines. In 2019, a New York City Fire Department employee transferred more than 10,000 ambulance patients' data to a personal hard drive that he subsequently lost. Such losses breach federal law and customer trust.
Improper storage of sensitive information such as consumer details or credit information can lead to brand damage, loss of sales, and massive fines under privacy regulations. Undocumented destruction of data can lead to legal sanctions, penalties, and loss of business.
Reducing Shadow IT
To mitigate the risks shadow IT creates, businesses and IT leaders must develop sound governance policies and audit tools to protect and effectively manage information. Here are three principles to establish better security and governance in your organization.
Don't over-complicate governance. Make it easy for users to comply by equipping them with user-friendly, modern systems that provide governance and cybersecurity controls without slowing down work processes. One way to accomplish this is to eliminate extra steps that lead to circumvention and dark data. For example, where possible, implement automated and intelligent metadata capture so that users have simple folders in which to file, and the system assigns or discovers essential metadata without users filling out forms.
Imitate familiar work habits. Give your users tools that emulate their existing work environment to ensure optimal adoption. For example, implement a robust file sync-and-share system that extends compliant content services to each desktop in the form of desktop folders. Users are far more likely to comply when they aren't learning an entirely new procedure, and the organization can benefit from the instant discoverability and policy management of content services.
Be vigilant. Implement policies and tools to prevent unauthorized cloud service use where possible. You can educate employees about the risks and dangers, but that alone won't eliminate the problem. Deploy monitoring and mapping of your confidential or sensitive data through file analysis applications with active policy controls that can quickly alert and protect you when data is out of compliance. For example, by monitoring for PII such as Social Security numbers and implementing intelligent content services that proactively secure risky information, you can help protect your organization from a costly and embarrassing data leak.
A Final Word
An agile organization must remain flexible while controlling risk. Maintaining security and proper information governance while avoiding shadow IT is possible if the right tools are available to meet the needs and work habits of users across the organization. IT leaders must be able to respond to the business mission while identifying and mitigating risks posed by unsafe information-handling practices. By following these principles, your organization will minimize the risk of shadow IT and build an information governance program that brings new value to your IT infrastructure.
About the Author
Mike Safar leads product marketing for OpenText information governance products and serves as a subject matter expert on information governance solutions and best practices. Mr. Safar’s previous experience has been in product management and marketing of leading information governance products for over 25 years, starting with integrated document management, records systems, and most recently intelligent content analytics solutions. His past experience includes positions at Interwoven, Hewlett Packard Enterprise, and PC DOCS Group. You can connect with Mike on LinkedIn or Twitter.