Shadow IT refers to the use of information technology systems, software, and devices without explicit permission from the company’s IT department that may risk the entire system’s security. With the widespread adoption of cloud-based applications, such behaviour has also been on the rise. In a few cases, shadow IT leads to productivity and innovation, but the risk-reward ratio is not tipped in favour of organisations.
Then there is shadow data, which poses an even greater danger. It entails the risk associated with all the data uploaded, stored, and shared via cloud, irrespective of whether they use permitted routes. Even if an organisation has the best compliance and security policy, it’s still not wholly immune from data loss or hampering threats.
Common collaboration and file-sharing apps such as Box, Office365, DropBox, Google Drive etc are also prone to shadow data threats.
The word cyberattacks brings to mind third party unauthorised intrusions into the systems. But sometimes, cyberattacks happen as a result of the information leak from within an organisation, intentionally or inadvertently.
Notably, the most significant risk of shadow data comes from unsuspecting employees: Individuals who do not have malicious intent but pose a threat by oversharing confidential information. It happens due to poor compliance and data governance policies and training, inadequate security, negligence, or unintentional misuse.
According to a Symantec report, of the 758 million cloud-stored documents analysed by the cybersecurity company, 13 percent were broadly shared with high risk of exposure. Broadly shared data refers to documents shared widely with employees of an organisation, third-party contractors, and in some cases, public documents.
Additionally, administrative oversight may also result in shadow data. For instance, when the directories are not kept up to date, it might result in sharing data with former employees.
What Can Be Done?
The risks associated with shadow data typically include exfiltration, account takeovers, and data destruction. Among these, account takeovers are the most dangerous, especially when the employee uses the same credentials for the cloud and their internal system. With access to the cloud service, an attacker may even attempt to delete an entire virtual machine or the data.
We spoke to experts to understand how to mitigate the risks of shadow data.
“We are talking about a conscious balance between decentralised innovation and data leakages. So, I’d recommend inventorise – assess – detect – isolate – protect. In most organisations – there is neither an inventory of applications nor data, which is updated and maintained religiously. We often talk about the graph of a customer base. But we do not talk about the graph inside an organisation – where a system is also treated as a living entity. Once we inventorise, we may want to diligently work towards assessing potential information sensitivity, governance protocols, security measures, etc. All this would lead to the kind of anomaly detection paradigm we need to have in place. In the event an anomaly is detected, immediate isolation, followed by a protection mechanism, needs to jump in. The role of a CISO or the Data Protection Officer as a stakeholder on the innovation table is vital.
To start with, however, we should roll out domain-based policy management across all IT assets that will help in initial data collection and understand to what extent shadow data and tools around it are used. The general place to start looking is in terms of data exchange tools (documents, chats and tools). This is more of an evolving journey,” said Amit Das, CEO and Co-founder, Think360.ai.
“There are several steps companies can take to reduce the security risks associated with Shadow Data. Firstly, companies must leverage robust data-encryption tools to protect lost or stolen data from unauthorised access. Secondly, they must ensure that all enterprise software, including file-sharing applications, have carefully-configured permissions and meet standard security benchmarks. Additionally, organisations can invest in IAM (identity and access-management tools) to protect employee mobile devices and implement two/multi-factor authentication to prevent unauthorised access,” said Shrey Kapoor, Computer Hacking Forensic Investigator & Cyber Security Expert.
Sunit Nandi, the founder of Letter, a privacy focussed email provider, said adopting the following measures could reduce the risk of Shadow Data:
- Encrypting all the data stored/used on public cloud
- Opting for private cloud over public
- Using pseudonyms instead of real names for social media interaction
- Strictly deleting or disabling accounts of people who leave/exit/resign from the corporation.
- Avoid using third-party services wherever possible and preferring self-hosted services.
- Doing regular security audits.
- Hiring skilled system administrators.