Asset Management, Application security

Shadow IT hurts organizations more than they think

Today’s columnist, Mark Wojtasiak of Code42, says security teams need to embrace collaboration tools employees find useful like Slack, but they have to educate users on the risks these apps present to the organization. (Photo by Stephen Lam/Getty Images)

How often has a security pro sat down to work with a project deadline looming, only to have the processes and tools provided by IT slow them down? It happens to the best of us and more often than organizations realize.

People always find a way to solve a problem and many times that involves bypassing authorized processes and recognized systems. How so?

Employees download a new collaboration tool or revert back to a trusted personal cloud account that lets them seamlessly complete a task. In the employee’s mind, they are keeping the team productive while ensuring deadlines are met.

No harm, no foul. Right?


The rapid adoption of cloud-based collaboration tools and data storage both corporate and personal during the pandemic has driven security teams to evolve and modernize quickly — but many security teams haven’t been able to keep up with this pace of change. More than 60% of employees report using unsanctioned apps and devices to get their jobs done, making it even easier for them to — albeit unknowingly — expose sensitive data through tools that are outside the company’s security perimeter.

Without the right tools in place, once a file gets uploaded to a personal cloud, it’s all but invisible to the security team. Even worse, that data is now ready for any malicious actor, negligent or misguided employee to make it available for the world to access.

This may sound extreme, so let’s put some numbers behind it.

Research shows that at least 33% of reported data breaches involve an insider and more than 78% of those insider data breaches result in unintentional data loss or exposure.

Further, trusted insiders cause an average of 13 data exposure events per user per day by moving corporate files to untrusted locations via email, messaging, cloud or removable media. What does this mean for an organization? The cost could be as high as 20% of a company’s annual revenue.

If the data doesn’t talk, the loss of money sure does.

Trust: The new frontier

Today’s workforce relies on the same tools that have also created our Shadow IT problem. Applications like Slack, Basecamp and Box have become critical elements of seamless hybrid work. Unfortunately, an increase in collaborative tools results in more insider risk. To prevent risk inside an organization, security teams need to help employees understand corporate expectations and guidelines around data and project ownership. It’s time to start creating a culture of greater data stewardship, and educating employees about risks involved with sharing data, files, source code and presentations across trusted and untrusted platforms, corporate, and personal.

It’s also time for security teams and leaders to own the spotlight they’ve been in over the past year and leverage this rapid digital and remote move to prepare better for the future. Meeting employees where they are can certainly help. Poll employees on their favorite applications and make sure they are vetted by the security team — this will keep employees happy and productive while ensuring data remains secure. In addition, create a line of transparency between security and other divisions in the organization to promote greater dialogue where employees will no longer feel like the villain. As a result, employees will feel more empowered to flag potential data exposure or consult the security team for data protection best practices.

The nature of our digital working environment means Shadow IT isn’t going anywhere. Sharing (and exposing) data has never been easier. Collaboration tools create immense value for the organization, but without the right steps and technology in place, business leaders can be sure that security will remain in the dark and data will continue to be at risk.

Mark Wojtasiak, vice president of market research and strategy, Code42

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.