Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Managing Risk in Light of 'Shadow IT'

By David Ray
November 01, 2016

There is a growing gap between company-sanctioned apps, services and programs and what employees are actually using. This gap is called “Shadow IT” and it is emerging as a major challenge for both in-house and outside counsel as well as CIOs, chief privacy officers and chief information security officers.

The emergence of Shadow IT can be attributed to the consumerization of business applications. Employees are accustomed to “App culture” — downloading or setting up solutions themselves rather than going through IT. The average employee actively uses 30 cloud services, including eight collaboration services, five file-sharing services and four content-sharing services, according to a study from cloud security firm SkyHigh Networks. Workers seek out the best cloud-based resources to do their jobs, and often resist traditional corporate tools which are less user-friendly and don't promote easy collaboration and sharing.

Shadow IT Brings Unprecedented Risks

The new world of Shadow IT, however, poses unprecedented challenges, including risks related to protection of intellectual property, data privacy and security, compliance, e-discovery and records retention.

According to a Ponemon Institute survey, 45% of all applications used by organizations are in the cloud, but only half of those are visible to IT. Combined with poor governance and the increased risk of breach due to the consolidation of data, this creates a multiplier effect: For every 1% increase in the use of cloud services, the probability of breach increases by 3%.

The issue is top of mind for many business leaders. At the 2016 Legaltech New York conference, 62% of respondents in an onsite Consilio survey said they were concerned or very concerned about the potential security risk from cloud-based applications. The top concern was inadvertent disclosure of sensitive data, followed by theft of intellectual property.

Managing the risks of cloud-based Shadow IT must be a broad-based and collaborative endeavor, encompassing legal, IT, executive management, employees, outside vendors and others. Building a cross-functional internal committee is an important component of success.

Counsel Must Lead Effort

When dealing with Shadow IT, counsel can establish a leadership role by bringing their knowledge and experience to the evaluation, selection and governance of cloud applications. As experts on compliance requirements and legal issues, they can advise on how to balance the need for institutional control over data with the demands of the modern workforce. Further, their participation makes it clear that the issues raised by cloud-based apps and Shadow IT represent a serious liability to an organization in both legal risk and brand reputation.

Information Governance in the Cloud: Five Steps to Success

When determining how best to integrate cloud applications into a company's risk and governance framework, an information governance approach can be adopted to provide a template for ensuring that all necessary elements are considered. To do so, counsel should consider the following steps.

Identify

It is impossible to create a strategy without knowing the landscape: which cloud-based services are in use; what types of information are being stored on them; and how that information is governed and protected. A mix of people, process and technology are needed to identify the types of information that are stored (or plan to be stored) with cloud vendors, the legal and regulatory requirements surrounding them, and the controls and contractual arrangements in place.

Sophisticated technologies have emerged over the past several years that make it possible for a company to quickly assess the cloud applications used by employees. This important step can help give a broad overview of the cloud landscape of sanctioned and unsanctioned applications. However, understanding the types of information and the contractual relationships in place require deeper review, particularly for Shadow IT services.

A sensitive data inventory and data flows provide insight into how employees use cloud applications and the potential risks associated with them. A mix of scanning technologies, interviews, and surveys provide visibility into the contents and use of cloud applications. For highly sensitive information or areas of specific regulatory concern, business process workshops can inform detailed data flows, revealing the methods by which information is transferred and potentially proliferated to third parties. And remember that this is not a one-time process; inventories and flows need to be kept evergreen, otherwise they will quickly fall out of use.

Once there's a clear understanding of the scope of Shadow IT, counsel, in collaboration with IT, compliance and business leaders can chart a path toward risk mitigation.

Govern

Once the risk and use of cloud applications are better understood, organizations should create or enhance policies governing the use of cloud applications and the flow of sensitive information to third parties. It is important to keep in mind that employees will typically follow the path of least resistance and unduly restrictive policies are likely to exacerbate the push to Shadow IT.

It's likely that widely used apps are providing employees with new tools and capabilities that they're unable to get from their internal IT organization. Depending on the nature of the risk, some apps may be governed by appropriate vendor contracts, updated acceptable use policies, and risk-based training.

Apps that are viewed as mission critical or handle sensitive data should be “sanctioned” — brought under governance and control of the company and managed by an enterprise service agreement. If unsanctioned apps cannot be brought into compliance, identify alternatives that better support your information governance needs. For these applications, counsel plays a critical role in reviewing the vendor agreements governance issues such as data privacy and security controls, data retention, and preservation for e-discovery.

With increasing requirements due to state and federal rules, as well as changes abroad with Privacy Shield and the General Data Protection Regulation, organizations have a greater responsibility to manage personal and sensitive data shared with third parties. By creating or enhancing third-party vendor risk programs, organizations can help ensure they are protecting the information shared with cloud vendors and demonstrate this for regulators.

Communicate

It's important to remember that no policy will work if employees don't know what's expected of them. To that end, education should be a key component of any governance strategy. Employees need to understand their responsibilities when it comes to ensuring data security and protecting privacy. They should be aware of any restrictions based on the sensitivity of the information, and given direction as to data placement.

While most organizations have a data classification policy in place, actual compliance is frequently inconsistent because the policy is either too complicated to follow, inconsiderate of business-specific needs, or not supported by a change management. Employees need a straightforward way to understand which information the organization considers sensitive, and the appropriate controls that go with it.

Organizations should include cloud services and Shadow IT in their annual privacy and security training, along with regular communications reminding users of their role in protecting information.

Monitor and Enforce

The need for ongoing monitoring can't be overestimated. Fortunately, there is technology designed to help companies track data access, use, sharing and storage. Software programs can flag immediate or potential problems, such as: the use of unsanctioned apps; unusual patterns, such as heavy information downloads; inappropriate data sharing; or spillage of personally identifiable information (PII) and protected health information (PHI), among other risky scenarios.

Taking action to reduce risk from Shadow IT and other cloud-based data is an active and ongoing process. Whether the remedy is education or a more punitive course of action, companies must show that they are serious about cloud security and will respond appropriately.

Evolve

A cloud information governance program should be regularly assessed and optimized to ensure it meets organizational goals. The uses for sensitive information evolve rapidly in response to the development of new technologies, as well as changing technology laws and market conditions. Organizations need to follow these changes and ensure they continue to provide sanctioned applications and guidance to support the needs of their users, or the drive to Shadow IT will continue.

Bringing Shadow IT in from the Darkness

Shadow IT makes intellectual property and other data vulnerable, sidesteps (usually unwittingly) compliance and regulatory guidelines, and adds complexity to e-discovery. Trying to control the vast and growing amount of cloud usage is a challenge that gets harder by the day.

Nearly 90% of the Consilio survey respondents said data stored in cloud-based applications was considered and/or collected in legal or investigatory matters almost always, often or sometimes. However, only 25% reported that they formally address the security risks associated with Shadow IT through memos, meetings and other initiatives on a regular basis.

With their knowledge, leadership, an information governance approach, and the support of IT and executive management, counsel can help a company use technology to be productive — without putting critical information at risk.

David Ray is a director of Information Governance at Consilio, where he leads the Privacy and Protection consulting practice. As a licensed attorney and Certified Information Privacy Professional (CIPP), Ray's engagements include the development of RIM and e-discovery policies and procedures, strategic assessments and roadmaps, privacy and sensitive information mapping, technology requirements and RFP management, and training and education to support these initiatives.

There is a growing gap between company-sanctioned apps, services and programs and what employees are actually using. This gap is called “Shadow IT” and it is emerging as a major challenge for both in-house and outside counsel as well as CIOs, chief privacy officers and chief information security officers.

The emergence of Shadow IT can be attributed to the consumerization of business applications. Employees are accustomed to “App culture” — downloading or setting up solutions themselves rather than going through IT. The average employee actively uses 30 cloud services, including eight collaboration services, five file-sharing services and four content-sharing services, according to a study from cloud security firm SkyHigh Networks. Workers seek out the best cloud-based resources to do their jobs, and often resist traditional corporate tools which are less user-friendly and don't promote easy collaboration and sharing.

Shadow IT Brings Unprecedented Risks

The new world of Shadow IT, however, poses unprecedented challenges, including risks related to protection of intellectual property, data privacy and security, compliance, e-discovery and records retention.

According to a Ponemon Institute survey, 45% of all applications used by organizations are in the cloud, but only half of those are visible to IT. Combined with poor governance and the increased risk of breach due to the consolidation of data, this creates a multiplier effect: For every 1% increase in the use of cloud services, the probability of breach increases by 3%.

The issue is top of mind for many business leaders. At the 2016 Legaltech New York conference, 62% of respondents in an onsite Consilio survey said they were concerned or very concerned about the potential security risk from cloud-based applications. The top concern was inadvertent disclosure of sensitive data, followed by theft of intellectual property.

Managing the risks of cloud-based Shadow IT must be a broad-based and collaborative endeavor, encompassing legal, IT, executive management, employees, outside vendors and others. Building a cross-functional internal committee is an important component of success.

Counsel Must Lead Effort

When dealing with Shadow IT, counsel can establish a leadership role by bringing their knowledge and experience to the evaluation, selection and governance of cloud applications. As experts on compliance requirements and legal issues, they can advise on how to balance the need for institutional control over data with the demands of the modern workforce. Further, their participation makes it clear that the issues raised by cloud-based apps and Shadow IT represent a serious liability to an organization in both legal risk and brand reputation.

Information Governance in the Cloud: Five Steps to Success

When determining how best to integrate cloud applications into a company's risk and governance framework, an information governance approach can be adopted to provide a template for ensuring that all necessary elements are considered. To do so, counsel should consider the following steps.

Identify

It is impossible to create a strategy without knowing the landscape: which cloud-based services are in use; what types of information are being stored on them; and how that information is governed and protected. A mix of people, process and technology are needed to identify the types of information that are stored (or plan to be stored) with cloud vendors, the legal and regulatory requirements surrounding them, and the controls and contractual arrangements in place.

Sophisticated technologies have emerged over the past several years that make it possible for a company to quickly assess the cloud applications used by employees. This important step can help give a broad overview of the cloud landscape of sanctioned and unsanctioned applications. However, understanding the types of information and the contractual relationships in place require deeper review, particularly for Shadow IT services.

A sensitive data inventory and data flows provide insight into how employees use cloud applications and the potential risks associated with them. A mix of scanning technologies, interviews, and surveys provide visibility into the contents and use of cloud applications. For highly sensitive information or areas of specific regulatory concern, business process workshops can inform detailed data flows, revealing the methods by which information is transferred and potentially proliferated to third parties. And remember that this is not a one-time process; inventories and flows need to be kept evergreen, otherwise they will quickly fall out of use.

Once there's a clear understanding of the scope of Shadow IT, counsel, in collaboration with IT, compliance and business leaders can chart a path toward risk mitigation.

Govern

Once the risk and use of cloud applications are better understood, organizations should create or enhance policies governing the use of cloud applications and the flow of sensitive information to third parties. It is important to keep in mind that employees will typically follow the path of least resistance and unduly restrictive policies are likely to exacerbate the push to Shadow IT.

It's likely that widely used apps are providing employees with new tools and capabilities that they're unable to get from their internal IT organization. Depending on the nature of the risk, some apps may be governed by appropriate vendor contracts, updated acceptable use policies, and risk-based training.

Apps that are viewed as mission critical or handle sensitive data should be “sanctioned” — brought under governance and control of the company and managed by an enterprise service agreement. If unsanctioned apps cannot be brought into compliance, identify alternatives that better support your information governance needs. For these applications, counsel plays a critical role in reviewing the vendor agreements governance issues such as data privacy and security controls, data retention, and preservation for e-discovery.

With increasing requirements due to state and federal rules, as well as changes abroad with Privacy Shield and the General Data Protection Regulation, organizations have a greater responsibility to manage personal and sensitive data shared with third parties. By creating or enhancing third-party vendor risk programs, organizations can help ensure they are protecting the information shared with cloud vendors and demonstrate this for regulators.

Communicate

It's important to remember that no policy will work if employees don't know what's expected of them. To that end, education should be a key component of any governance strategy. Employees need to understand their responsibilities when it comes to ensuring data security and protecting privacy. They should be aware of any restrictions based on the sensitivity of the information, and given direction as to data placement.

While most organizations have a data classification policy in place, actual compliance is frequently inconsistent because the policy is either too complicated to follow, inconsiderate of business-specific needs, or not supported by a change management. Employees need a straightforward way to understand which information the organization considers sensitive, and the appropriate controls that go with it.

Organizations should include cloud services and Shadow IT in their annual privacy and security training, along with regular communications reminding users of their role in protecting information.

Monitor and Enforce

The need for ongoing monitoring can't be overestimated. Fortunately, there is technology designed to help companies track data access, use, sharing and storage. Software programs can flag immediate or potential problems, such as: the use of unsanctioned apps; unusual patterns, such as heavy information downloads; inappropriate data sharing; or spillage of personally identifiable information (PII) and protected health information (PHI), among other risky scenarios.

Taking action to reduce risk from Shadow IT and other cloud-based data is an active and ongoing process. Whether the remedy is education or a more punitive course of action, companies must show that they are serious about cloud security and will respond appropriately.

Evolve

A cloud information governance program should be regularly assessed and optimized to ensure it meets organizational goals. The uses for sensitive information evolve rapidly in response to the development of new technologies, as well as changing technology laws and market conditions. Organizations need to follow these changes and ensure they continue to provide sanctioned applications and guidance to support the needs of their users, or the drive to Shadow IT will continue.

Bringing Shadow IT in from the Darkness

Shadow IT makes intellectual property and other data vulnerable, sidesteps (usually unwittingly) compliance and regulatory guidelines, and adds complexity to e-discovery. Trying to control the vast and growing amount of cloud usage is a challenge that gets harder by the day.

Nearly 90% of the Consilio survey respondents said data stored in cloud-based applications was considered and/or collected in legal or investigatory matters almost always, often or sometimes. However, only 25% reported that they formally address the security risks associated with Shadow IT through memos, meetings and other initiatives on a regular basis.

With their knowledge, leadership, an information governance approach, and the support of IT and executive management, counsel can help a company use technology to be productive — without putting critical information at risk.

David Ray is a director of Information Governance at Consilio, where he leads the Privacy and Protection consulting practice. As a licensed attorney and Certified Information Privacy Professional (CIPP), Ray's engagements include the development of RIM and e-discovery policies and procedures, strategic assessments and roadmaps, privacy and sensitive information mapping, technology requirements and RFP management, and training and education to support these initiatives.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.