The Cloud is everywhere we turn these days. If you haven’t seen or read an article in the last year about what it is, why you should move to it, why you shouldn’t move to it, how everyone else is moving to it, or other key, critical advice about it, then you haven’t been paying attention. I’m even guilty of it myself, having co-written with my colleague, Brandon Leatha, a piece about what to consider when migrating to the Cloud (Legal Considerations when Adopting Cloud Technologies).
That’s all important, and your IT and Legal groups ignore it at their peril, but I’m here to talk about something entirely different that has existed for decades, yet is now becoming much more prevalent, and significantly more dangerous, thanks to the Cloud – Shadow IT. Shadow IT is the name we give to employee-created, non-company authorized, technology solutions. Historically, it was the employee who brought a personal WiFi router into the office, or perhaps the manager who downloaded and installed applications onto machines in their department to solve a business need, but without corporate IT’s knowledge or blessing. Hence the term Shadow IT, because it hides in the shadows of the organization and isn’t readily apparent or visible.
Why do we care? These employees are solving important business needs that IT is failing to provide for, how is that a bad thing? Well, that WiFi router is likely consumer grade, misconfigured and a large security hole which attackers can exploit to gain a network foothold. That application the manager installed is likely unlicensed and may include undesirable functionality (e.g. malware or viruses.) Technologies and software are being added to the environment unbeknownst to the individuals responsible for security, thereby introducing both unknown and unaddressed risk. Employees are now combining Shadow IT with Cloud solutions and inadvertently creating a very real risk to organizations.
Employees can easily setup entire financial or customer relationship management systems (e.g. Salesforce), or configure their own cloud based backups and file sharing (e.g. DropBox, OneDrive, Google Drive), or use collaborative cloud based documents (e.g. Google G-Suite). Each of these, when setup and used without IT or Legal oversight, introduces a huge amount of risk to an organization thanks to a few simple clicks and an email address. Imagine collecting documents for discovery without knowing employees are using Google Docs extensively. Or that there is a Shadow IT system containing historical copies of documents directly contradicting document retention policies. Not to mention that employees may be storing important, and possibly sensitive, company information in a location they know little, if anything, about and with a company they likely only have a click-aware agreement with.
iDS can work with you to help identify Shadow IT, define how it exists within an organization, and, more importantly, assist in finding ways to bring it in-house while still being sensitive to the business needs that drove employees to it in the first place. This last point is critical, if we don’t consider the underlying business need, the problem will simply manifest itself again in a new form as employees do what’s necessary to get their jobs done. When Shadow IT is resolved properly, everyone comes away winning, but you first have to know it’s there and the business need it’s solving.
Shadow IT is difficult to identify, it’s quickly becoming Cloud based, and, more importantly, it can represent a real and present risk to your organization. Do you know what’s lurking in your shadows?
To access previous blog posts from The Forensicators, please CLICK HERE.
Please email Mr. Platt at firstname.lastname@example.org to discuss Shadow IT, data systems and the Cloud, cybersecurity & incident response, and other data analytics issues, as well as how the experts at iDS can assist with all your legal technology needs on your next case or internal investigation.
The opinions reflected in this post are solely those of the author and do not necessarily represent the views of iDiscovery Solutions (iDS), nor any additional current or former employee of iDS. Moreover, any references to specific litigation or investigation work or findings are fact-specific.
Download Keys to Today’s Information Governance Landscape