Shadow IT is when employees use unapproved software, apps, and devices to do their jobs. Typically, employees have good intentions and may turn to various ad-hoc services to get their work done because they don’t believe their employer provides them with a good solution. Since the 2020 Coronavirus outbreak, surveys of IT professionals have revealed that the rise in employees working from home has generated a surge in this practice. Find out why even the best-intentioned uses of shadow IT can pose a security threat to your valuable information and how you can control it.
Why is Shadow IT a Security Problem?
According to reports from MS Office, almost three-quarters of executives admit they don’t know how many shadow IT applications or devices their employees use. This isn’t surprising. According to Microsoft, even security professionals gravely underestimate the problem. On average, they believe all workers in their organization use 30 to 40 unapproved tech solutions when a better figure would probably be closer to 1,000.
These facts also aren’t surprising when you see studies that reveal that about 87% of senior managers have uploaded sensitive documents to a personal email or cloud account. If even senior leadership succumbs to these temptations, you can bet your business has a widespread problem.
While mostly well-intentioned, using all of these unapproved and unknown apps can generate dozens of serious problems for data security and data integrity. Some critical issues include:
Lack of visibility: IT can’t manage resources that they aren’t even aware of. Companies need tools to monitor their networks and any new devices or applications that interface with it.
Impossible to enforce compliance rules: If a business doesn’t even know a resource exists, there’s no way to make sure it complies with government regulations or internal governance. Especially with sensitive data, organizations need to ensure employees get permission before using third-party solutions.
High risk of lost data: Again, there’s no way to know if somebody uploaded the latest and most correct version of a document to their personal email or cloud service and then got sick or abruptly left the company or simply had a problem with their unapproved device or software’s storage. Businesses need a way to track information additions, deletions, and changes, and they also need to ensure these changes get backed up.
Impaired efficiency: If one team has decided to share documents on a cloud server but another team’s passing email attachments around, departments will fall out of alignment. If multiple departments need solutions for such issues as collaboration and document sharing, the company should implement one approved solution.
Vulnerability to digital threats: Obviously, this is the 900-pound gorilla in the room. You have probably read plenty of stories about attacks on popular software like Zoom and Google Drive. These days, companies are particularly vulnerable to phishing attempts made on an unsuspecting user’s email. Solutions that can reduce the risk could include enterprise-security software, audit trails, and two-factor authentication.
Again, most employees turn to outside solutions out of the best of intentions. A good first step probably includes surveying your workers to find out what features they lack in the toolkit your business already provides for them. Then, you can keep people productive and your business safe by evaluating various solutions to fill in these gaps.
At the same time, you’ll also help improve company-wide efficiency and alignment and make security’s job easier by keeping your entire company in alignment. You won’t have to worry that a director has uploaded a sensitive document to his email and one team leader uploaded the attached document to Google docs right before sharing the Edit link with his entire group. In the end, nobody can say which version was correct or even if any of them were.
Future-Proof Your Workforce and Business With M-Files
An enterprise-grade, AI-enabled information management solution like M-Files can almost automatically remove the temptation for employees to turn to ad-hoc solutions to do their jobs.
- The software’s smart features can give employees everything they need to work, share, and collaborate. They won’t have the motivation to turn to private email, software, or storage accounts to get their jobs done — especially when they can access business critical information from anywhere and from any device.
- The sophisticated, certified security will ensure that employees have only the access they need, and even better, M-Files will handle audit trails and version control. You won’t have to worry about lost, missing, or confusing data.
- Using this one, standardized solution will also help keep teams, departments, and entire companies in alignment as they all rely upon the same system. This helps improve communication, business processes, and efficiency.
- Employees will also appreciate the fact they can securely login to M-Files from anywhere and with various internet-connected devices. M-Files enables the remote workforce you employ today and in the future.
Schedule some time with us — we’re here to be a resource for you about your shadow IT concerns within your organization. We’ll explain how M-Files features can ensure your employees have a secure, workable solution. We can also arrange a free trial or demo, so you can actually watch M-Files in action as it improves your company’s security, efficiency, and alignment.
The pandemic has unsettled the world, leaving us all to navigate the uncertainty. I don’t need to elaborate. We all know and feel the effects the COVID-19 pandemic has had on our economy, workplaces, and personal well-being.
However, at the time of writing this, restrictions around the world are starting to lift, little by little. And as the initial hurdle comes to a close, we are gradually shifting our attention from the panic of What now? and instead, shifting our focus to What’s next?
As a Product Marketing Manager for M-Files, I am in the game of figuring out what moves and shakes people to change, or more specifically what drives companies to invest in new technology. This pandemic has certainly offered a new driver to the mix.
COVID-19 has Forced Companies to Transform (and Transform Quickly)
Before this crisis, some common drivers across many industries included items like increasing efficiency in a competitive landscape, winning and retaining new business, and minimizing risk.
These drivers are still relevant. The pandemic, however, has presented a new driver — resilience. Namely, how can companies ensure and maintain operations in times of crisis? How can companies continue with business as usual in times when business is not usual?
While the initial hurdle of this pandemic seems to be coming to an end, there is no guarantee that the pandemic will not grow worse or that further restrictions will be enforced in the future (some news media portends the possibility of a second wave of cases globally). And as experts warned us of a possible pandemic before COVID-19, they are also insisting that we realize that other pandemics are just as possible in the future. We simply do not know. We used to operate with a false sense of certainty about the future, but this crisis has exposed just how uncertain things really are. Despite this, we are certain that the COVID-19 crisis has taught us that businesses need to transform. We can feel confident about that lesson. And when there’s need for great transformation, there’s need for great guidance.
Bring in the Consultants!
The reason I boldly claim that we need consultants now more than ever is because we’re in uncharted territory. Emotions are strong and it’s difficult, for both employees and business leaders, to wrap their minds over what to do next. Consultants, by and large, are transformation experts. We call on consultants to get us from one state to the next, because they have the expertise, experience, resources and know-how to pave a path to our objectives.
When it comes to the topic of resilience, businesses are plagued with questions around policy, leadership, technology, security, and change management while also grappling with the struggles of maintaining business today. This presents an interesting opportunity for people in the thinking industry.
The Driver: What’s driving or forcing companies to change?
The COVID-19 crisis has tested the resilience of the business world.
The Objective: What do companies need to do in response to this driver?
Companies have been forced to establish and maintain organizational resilience — to handle future crises.
Business Changes: What transformations must take place for companies to meet these objectives?
To establish and maintain organizational resilience, companies must:
- Institute a flexible and secure work environment
- Reduce costs to buffer current and potential decreases in revenue
- Enable a remote, yet effective workforce that can work either from the office or at home
- Establish policies and procedures for times of crisis and train staff on policies
- Train leadership on managing and leading in times of crisis
- Uphold excellent customer experiences in times of crisis
Business Value: What is the potential business value of these transformations?
When companies are resilient to crises, they:
- Retain more business
- Maintain business continuity in times when business is not usual
- Have better buffers for sudden revenue decreases
- Mitigate risks to security and quality — in areas like information security, safety, and compliance
- Increase workforce satisfaction and trust
So, if you’re in the service of helping businesses transform, take a moment to consider if this new driver offers your firm new opportunities. And in doing so, consider the following:
- What sort of products or services can you provide to help potential or existing clients manage this crisis?
- What sort of training do you need to better help your clients manage crises and build resilience?
- What sort of content can you develop to help your clients manage our current global predicament?
In times of global uncertainty, we need people in our corner to help us put one foot in front of the other. That’s why we need consultants now more than ever.
As more companies start to transition away from paper files and towards digital, the threat of data breaches increases as does the disasters that come with it. In 2018, the United States experienced 1,244 data breaches resulting in 447 million records exposed.
There are hordes of hackers and nefarious people that work hard to breach weak security protocols and gain access to important documents. But let’s not discount the less nefarious yet risk-laden instances of security compromise. What about employees who access files that they weren’t authorized to look at — either accidentally or on purpose? What about Alan’s termination letter that was left on the printer right next to Alan’s desk?
Depending on your cybersecurity efforts, your IT department might already be using the latest firewalls, malware detection, and anti-virus software, so that the perimeter of your company’s documents are always secure. Having a strong external security system in place to prevent hackers from getting in is necessary for any company to function. But do you have a system in place to protect your documents from internal breaches?
Whether intentional or not, an employee may have unintentional access to emails that contain sensitive information, get forwarded important documents, log in to a public computer and forget to log out, and many more possible scenarios that result in a data breach.
To help protect your files from internal data breaches even as your company grows, intelligent information management (IIM) solutions like M-Files could be your first line of defense. IIM solutions ensure that all your unstructured files, documents, and business processes are stored, captured, managed, preserved, and delivered on a centralized network for easy retrieval. Below I’ll discuss how an IIM platform can help you protect your data from internal breaches.
The whole takeaway here is that data security should be enforced, not only as protection from outside intruders, but at the document-level for internal security.
“It has long been realized that encrypting content at rest, and particularly content in motion, is the only way to secure sensitive and potentially damaging content,” according to this AIIM report. “But suppose that instead of building protective walls around places where sensitive documents are held, we embed security into the document itself?”
Permissions and Access
It goes without saying. Sensitive documents should only be accessible to those who need access. It’s easy to have control over a few employees and the content they access in the first stages of your company. However, for growing companies, the ability to scale permissions access can get unwieldy.
With M-Files, you can set access permissions for whole classes of documents and data objects, in addition to specific documents, and even for different versions of the same document or object – including assigning roles that give different levels of access to different users or user groups, such as managers.
M-Files ensures that information is accessible to the people who need it, and inaccessible and unseen by those who don’t need it or aren’t sanctioned to access it. Access permissions can be controlled by user, group, role, as well as any metadata property — no need for scripting with the flexibility to address unanticipated future needs. Take these two examples:
Employment documents. Employment agreements can be tagged to selected employees, making the agreement visible to that user, their supervisor and the HR department, but no one else. If there’s a management or organization change, just change the supervisor property of the employee and all related documents become visible to the new supervisor.
Sensitive project documents. When project team members are assigned to a project, all associated documents will be visible to only them. Brought on a new team member? Simply assign them to the project group. No need to micromanage and examine permissions for every piece of information related to the project. This approach simplifies onboarding new team members, and also makes it easy to allow external users such as partners and customers to securely access project-related documentation and participate in related processes and workflows.
M-Files also supports the concept of “faceted permissions” — where multiple metadata properties together can define the permissions of a document. In the project-based scenario above, for instance, if permissions are created for project group members, you can make certain document types — like an agreement or contract — visible only to project managers of the related project.
In regulated industries where compliance is key and audits by customers, vendors and regulating bodies are required, M-Files consistently enforces access control policy. M-Files enables businesses to easily prove they are following required procedures and follow regulations.
Audit Trails and Proactive Reporting
Audit trails and proactive reporting are useful during or after a data breach. You can use them to determine who has been accessing files, when they were doing it, and which documents they were after. Your IIM solution will notify you of any suspicious activity that occurs so you can attend to it as needed.
As an example, your IIM can notify you that a finance department staffer, who has access to all invoices, payroll, and tax-related documents is conspicuously downloading confidential information. The information consists of a few vendor invoices, employee payroll, and company tax documents while they’re on vacation, without notifying you of their intent. If you suspect something untoward, once you’re notified, you can block access to all documents until further investigation is conducted.
Sometimes we all hold on to documents or belongings that we should’ve thrown out. While hanging on to a few personal items isn’t disastrous, doing the same with company files presents risk. Although there are certain documents that a company must retain for protection purposes, not all of them have that same weight.
An IIM solution will notify you when certain content has been idle for too long and is taking up space. It’ll then ask you if you want to keep or discard it. If you have no more use for content, you can discard it which ensures that no one has access to old documents that still contain sensitive information.