Corporate IT teams have long bemoaned the use of shadow IT. This hasn’t stopped the practice, and the rise of cloud software adds a new and disturbing wrinkle. Shadow IT can be harmful to data security. The key is to invest in proactive prevention rather than a reactive cure.
The rise and risk of shadow IT
The constant tug of war between IT’s efforts to secure data and users’ needs to share data has given rise to shadow IT. Today, a large percentage of shadow IT is in the cloud. And the users accessing cloud applications are increasingly dispersed in this age of remote working and the gig economy.
Organizations are using an amazing amount of cloud applications – some of which they know about:
- The average enterprise uses 1,427 distinct cloud services, with the average employee actively using 36 cloud services at work.
- Gemalto’s 2018 Global Cloud Data Security Study found that 43% of IT practitioners globally said they were confident they know all the cloud services running in their organization. Over half (53%) of corporate cloud data on average is not managed or controlled by IT.
Data protection is top of mind today for all IT leaders, but it’s hard to protect what you don’t know about.
The cost of a cure: data breaches
The Ponemon Institute recently surveyed over 419 companies across the globe and collected direct and indirect expenses to calculate data breach cost. Here’s what they found:
- The average total cost of a data breach was $3.62 million.
- The average cost for each lost or stolen record containing sensitive and confidential information was $141.
Data breach settlements are one contributing factor to the cost, and these settlements are rising because the class sizes of persons affected by data breaches is increasing.
Beyond ‘hard’ costs, the Ponemon study also found that more organizations worldwide lost customers as a result of their data breaches.
The cost of a cure: regulatory impact
New regulations are on the horizon that will require increased investment in data protection and a quicker response in the event of a data breach. For example, the European Union’s General Data Protection Regulation (GDPR) effects all organizations that do business with EU citizens. Organizations will need to be able to demonstrate IT compliance with these regulations. The regulation is clear that any breaches in the cloud are the responsibility of both the data controller and the processor.
Move from a control approach to help prevent shadow IT
A dispersed workforce and a cloud- and mobile-first mindset are driving a shift from the “control” approach to security. IT teams can rail against shadow IT, but that won’t change the reality. Users will find a way, and the IT department will become known as the ‘department of no’.
Use these tactics to flip the script, and become a ‘department of how’:
- Consult with business units to inventory existing cloud software.
- Stay ahead of the game through regular discussions with the business about needs, options, and tactics to keep these options secure.
- Keep content where it belongs: instead of creating duplicate copies of content to help with collaboration, integrate with the applications that create the content to manage the associated workflows.
- Include information about the risks of shadow IT in security awareness education, and clearly outline the policy on setting up new accounts. Use case studies of harmful practices and the damaging results to make an impact.
- Introduce user activity monitoring to identify the “normal” actions of systems and users. This software can identify when the computer or person diverge from the “normal” profile, and issue alerts to address issues promptly.
Shadow IT introduces risk in your data protection planning. Taking a proactive and collaborative approach to ensure employees use secure options is one way to put the emphasis on prevention. Click below to learn more about Teramind.