The Security Leaders’ Guide to Managing Shadow IT Risks

By Lily June 21, 2022

Spread the love

In today’s cybersecurity environment, guaranteeing data privacy is an integral part of enterprise risk management.

Corporate executives and stakeholders used to think of enterprise risk purely in terms of investments, competition, and unit economics. Now, cybersecurity policies and intrusion detection capabilities have earned a central place in the discussion.

According to IBM, it takes an average of 280 days to find and contain a cyberattack. The average cost of a successful attack is just under $4 million. Enterprise leaders rely on their cybersecurity teams to identify and address these risks as part of their broader responsibilities to protect the organization and its users.

But this is easier said than done. Integrating best-in-class security technology is only the first step on the way towards operational security excellence. Information security leaders must also develop policies that promote a security-conscious culture throughout the organization.

IT Security is a Balancing Act

Corporate information security typically revolves around policies. Security leaders draft policies that tell employees how to interact with enterprise systems and IT infrastructure. They instruct users how to find and process files, and how to send processed files further down the production line securely.

As enterprise IT infrastructure expands, the complexity of these policies must also grow. A complex multi-cloud deployment can boost productivity significantly, but it also demands changes to security policy. As those policies become more complex, employee and user compliance may suffer.

This situation creates a balancing act between security and usability in the enterprise space. Improving security often comes with a tradeoff cost in usability, making productivity applications harder to use on a daily basis.

“Shadow IT” refers to employee-level resistance to overly complex security policies. When employees deliberately sidestep secure processing and transmission protocols, they expose valuable data to severe risk. If security leaders don’t have a solution for endpoint risk discovery, the exposed data may go entirely undetected.

Shadow IT is More Disruptive Than You Might Think

Let’s imagine your security policy stipulates sales team members have to use a specific messaging app to communicate with customers. This ensures customer data is accessible from your enterprise resource planning software, and it guarantees the security of the data involved.

Now, let’s say your policy-mandated messaging app disrupts the employee experience with frequent authentication requests and verifications. Some employees will try to get around those disruptions by using alternative apps. They might simply use their personal phones to contact customers on Messenger or WhatsApp, for example.

If those alternatives are not part of your policy, then whatever happens on them is essentially invisible to your security team. Critical sensitive data may be scattered across different endpoints and shadow IT applications without anyone’s knowledge. 

Paradoxically, if new security policies push employees to start using shadow IT capabilities, you might end up making security worse instead of better. Where you might have had limited or inadequate visibility before, now you have no visibility at all.

Shadow IT Complicates Compliance

Security leaders operating in a regulated industry need to be able to provide clear and consistent audit trails showing how sensitive data flows throughout the organization. Regulators need to know that there’s a robust information governance solution in place.

If personally identifiable information (PII), personal health information (PHI), or payment card industry (PCI) data ends up on an unsecured endpoint, the responsibility to explain how that happened falls on security leaders’ shoulders. This can be exceptionally challenging when the corresponding logs are missing or otherwise not available.

Every US state has its own set of data breach incident report regulations. In some cases, exposing sensitive data to the public by storing it on unsecured endpoints can be interpreted as a violation of users’ trust, requiring a report. Some states will let organizations avoid filing a report if the breach is “not reasonably likely to cause substantial harm to affected individuals.”

That means that if you detect exposed data early and mitigate the risk it represents to users, you stand a decent chance of maintaining compliance and avoiding damage to your reputation.

The Solution: Address Shadow IT Head-On

In order to address shadow IT risks, you must first shed light on what employees and users are doing to bypass security policies. Gaining visibility is the first step towards meaningfully securing alternative communications and apps throughout the enterprise.

This is a great opportunity to demonstrate empathetic leadership. Threatening or punishing employees for using unsecured applications is likely to backfire. It may simply encourage them to be more secretive about their shadow IT practices, further endangering the enterprise.

Instead, leaders will usually achieve better outcomes by opening up an empowering dialogue about the utility and value of security policies. Encouraging employees to give honest feedback on their user experience can help security leaders build better, more productive solutions.

At the same time, it gives IT security professionals a chance to educate employees and users on how security policies work and why they are in place. Employees are far more likely to demonstrate compliance with these policies when they understand the motives behind them.

This process will take time, but it is a critical step towards establishing a security-conscious office culture that values data privacy. Users and employees must feel empowered to self-police their use of IT infrastructure and achieve secure results.

Automatically Secure Your Data with Actifile

Cultivating a security-conscious office culture is a noble achievement, but it won’t happen overnight. Even once it is fully established, security professionals will need to consciously maintain it by educating employees and securing at-risk data points wherever they occur.

Actifile provides security leaders with automatic risk discovery and data encryption services through a cloud-based airbag-like protection system. Actifile detects unsecured data residing on non-compliance endpoints and remediates data breach risk by encrypting those files. This provides immediate value to security teams and grants much-needed visibility into shadow IT devices and systems currently in use throughout the enterprise.

Spread the love