Data sprawl is bad enough. Having users decide on their own to implement IT solutions can kill a business.
Shadow IT Shadow IT is when employees bypass business processes and policies and use unsecure and unmanaged consumer-grade IT solutions for corporate data. Users set up their own free online sharing, remote access, smartphone backups, wireless access points, thumb drives, and other unauthorized risks that they thought were just making their lives easier. They may need access to their data from home or while traveling and don’t realize that they are creating security and compliance risks for their firm. Shadow IT is mostly adopted by good people with good intentions, but in some cases it is used maliciously to steal proprietary data.
Too Easy It is now so easy and inexpensive – often free – for someone to bypass company IT policies and procedures. Users view data casually, not as a valuable business asset or something that if lost can result in an expensive and embarrassing data breach. They treat company files the same as their family pictures, and don’t give their managers a vote in where the firm’s data ends up.
File Sharing & Backup File sharing services are good solutions, but aren’t all the same when it comes to securing data, tracking access and offering management a view of what is happening with the data. The firm should be part of any decision if an employee wants to use it to share business info or client files. Free thumb drives given out at conferences can move data from secure networks to a very high risk of loss. Cloud services that make it easy to back up laptops, phones and tablets, may also result in corporate data moving into a location the company doesn’t know about.
Email Data sent to free email services like Gmail, Hotmail, Yahoo!, and those that come with an Internet service can end up anywhere, and cannot be retrieved. Even deleting these may not completely erase them from the vendor’s servers and backups.
Who ever thought…? Uneducated users and wannabe IT “experts” can create real dangers. What if an employee exported the firm’s confidential client files onto an insecure device? Could your staff make copies without your knowledge? Once in a secure document management system that met the firm’s security standards, the files now can be read by anyone with a computer, there is no tracking of access, and no way to know how many copies are floating around. Considering the high costs of data breaches (both to reputation and notification regulations), this could kill the firm if the data was breached.
What can managers do? 1. Educate yourself about the pitfalls of having client data stored on devices and locations without your permission. 2. Identify reliable choices of safe solutions to solve your data access problems. 3. Check systems for unauthorized file sharing and data backup software. 4. Implement data loss prevention software to restrict how data can be moved. 5. Establish policies to prohibit unauthorized solutions. 6. Conduct cybersecurity training for your staff.
The more people understand the value of data and the risks of unauthorized data management solutions, the more you will be able to keep IT out of the shadows.