Shadow IT: Do You Know Where Your Company Data Is?
by Mark Adams, on 26-Aug-2015 17:14:18
Shocking, isn’t it? With that many unsanctioned apps being used, how can you possibly know where all of your company’s data is located? Isn’t that a recipe for disaster?
Despite the way it sounds, shadow IT can actually be a good thing for your company, but in order for that to happen, you need to understand the tools being used and where your data is going. Then you can work to make sure that data is protected to ensure you reap the benefits of the cloud.
But who’s job is it to make sure your data is safe? That’s exactly what I’m about to discuss.
Who’s Responsible For Data Protection Within Shadow IT?
To state the obvious: People need data to do their jobs. And that data is a valuable asset to your company. But if the data is compromised, the company will be the one in trouble. That means it’s the company’s responsibility to make sure that data is protected. That said, your employees need to take data protection as seriously as you do.
When it comes to shadow IT, your company’s data is going into different places and being dispersed across a wide range of services (services that you may not even know exist within your organization). If you don’t know where that data is at, you won’t be able to adequately manage or protect it. That doesn’t mean you should stop giving employees access to data, or make them stop using the services that the data is being entered into. It simply means you need to find out what those services are and where that data is located.
Knowing what data is being put where and for what purpose, as well as understanding the risks associated with that data if it gets lost or stolen, will help you manage the data and make sure the correct protection policies are in place.
There are different forms of data that will require different forms of protection.
Personal Data & Compliance
According to the Personal Data Protection and Breach Accountability Act of 2014, businesses are required to do all of the following:
Implement a comprehensive program that ensures the privacy, security, and confidentiality of sensitive personally identifiable information.
Assess risks of future security breaches and design a personal data privacy and security program to control such risks.
Establish a federal security breach notification procedure.
Basically, that means an employee’s personal data cannot be taken lightly—if you have their information, you can’t let it slip into another person’s hands. So, a financial advisor who has all of an employee’s financial information must take great care in regulating it to ensure no one else has access to it. That data should only be stored in applications that have been approved by the company.
General Data With High Business Value
There’s also more general company data, which is less of a concern from a compliance perspective, but probably has a high business value. This becomes an area of concern within shadow IT when someone with important data leaves your company.
Let’s say you’re a salesperson in the process of negotiating several contracts, and you have that data stored in a CRM system (that only you are using). If you were to leave the company, you would take that information with you. The company would no longer have access to the data because it’s in your personal CRM service, and the employee who takes your place will have no idea where to pick up the conversations with those prospects.
Another issue with data inside shadow IT is that it can become difficult for employees to collaborate when data is dispersed across multiple services and applications. Of course, one of the main benefits of the cloud is that it can make collaboration easier, but it only works if the right tools are being used and the information is going to the right place. That means you need to make sure people are using a common toolset, rather than everyone using their own solution.
It’s Not Just An IT Problem
I want to stress that shadow IT is not a problem that can simply fall back on the IT department. It has to be a shared responsibility among managers throughout the company.
Managers of each department—whether it be sales, marketing, finance, human resources—should know what services and apps their team members are using. Each manager should be able to track the data going into these tools and report back on it regularly.
There must be a company culture around knowing and understanding what apps are being used and what data is going into them—this leads to reviewing applications and performing a shadow IT audit to find out exactly where your data is going.
As I said before, people need access to data in order to do their jobs. The reason your employees are seeking out new services and applications within the cloud (that have not been approved by your company) is so they can do their jobs better and more efficiently. So instead of locking down data and IT procurement, become aware of the tools being used—then you can begin to manage them.
Ask your employees what services or applications they’re using that are helpful to them, and find out what data is being input into those applications. Then assess the risk of those tools with that data and share any concerns you have with employees. If you feel that your data is unsafe within a particular application, suggest another app that would be more secure. Also, make sure that employees who need to work with the same data are using the same applications to ensure everyone can collaborate.
Once you begin managing shadow IT and the tools being used by your employees, you’ll be able to protect your company’s data.