Shutting Down Shadow IT

Researchers claim that, on average, 50 percent or more of an organizations IT spend goes toward Shadow IT: the software and services users purchase and use without involving IT. Shadow IT can be a huge waste of money, but it has much more serious implications when it comes to cybersecurity.

The data your organization maintains is critical, and may represent the entirety of its intellectual property. Despite this, very few startup execs understand where their data lives and who has access, much less a well-defined data management process.

Think about a key employee of your organization who generates a lot of critical data (copy, code, financials, whatever it may be). If that employee were to leave today, would you know exactly where all that data is? Is it on the company file share (if so, where)? Is it on their laptop hard drive? Home computer? Flash drives? A personal Dropbox account? Email attachments? Who else has access to that data, and who keeps track of it? If you don’t know the answers to these questions, does anyone?

golum.jpg

Pick the Best Solution

There are a lot of options when it comes to file sharing, but we have some favorites. File servers, located in your office or in a remote location, are still used by many businesses and have legitimate use cases, especially for businesses who want an obsessive level of control over their systems. But they are difficult to maintain, often easier to hack, and almost always less flexible when it comes to remote and offline access. Most small and medium companies will want to stick with cloud options. Popular consumer/business tools like Google Drive and Dropbox have their benefits, but usually fall short when compared to business-oriented solutions like Box or our preferred pick for most situations: Egnyte.

You can have good data management practices regardless of your platform, but having a system that is user-friendly can make a huge difference when it comes to compliance. Many users resort to what they know when the company file share is too complicated to use.

Document Your Policies

Once you have a solution you like, document your data management policy in writing. If you don’t already have such a policy, a simple description of where data should and should not be stored is a good place to start. If you do have one, give it a thorough review to be sure it’s been updated after any recent platform migrations or changes. The specifics depend on your file sharing platform and workflows, but the general best practice is to have a single, secure file share where all company documents must be stored, and to ban storing data in any other location or sharing with unauthorized parties, with clear consequences. This becomes a lot easier to follow if your file sharing solution has options for syncing files to laptops offline, accessing them on the web, etc., and good training for users on leveraging these tools.

Next, look into how many people know about the policy. Is it included in the company handbook? Is it covered in new hire training? Is the document easy-to-find for existing employees? Be sure to cover all of these bases, and have a refresher training or at least an email reminder for all employees periodically. Many companies even send out surveys to quiz their employees on best practices.

Investigate Compliance

Finally, investigate whether your people are following the policy. You can ask, of course, though people are unlikely to be open about their bad habits. You could try manually spot-check laptops for signs of files stored in local folders (like the Desktop) or looking for installed apps associated with other popular file sharing products you don’t use.

You could also use reporting tools like the one offered by Cisco Umbrella (included in all Kinetix Security Bundles), which runs an agent on all machines and monitors internet traffic. It will give you a user-friendly report showing all the sites frequented by your users, giving you insight into whether they are supplementing your official tool with their personal favorite service. Enterprise-grade file sharing tools usually have reporting that shows when files have been downloaded and with whom links have been shared; Egnyte Protect is one of the best ones we’ve encountered.

You’ll also want to do a thorough review of which users have access to which data and make sure that no one has been granted access to something above their security level. Your investigations should lead you back to updating your policies, re-training your people, and changing permissions to reduce the chances of data ending up in the wrong place.

Remember that those Shadow IT systems aren’t just increasing sprawl and reducing oversight: a hacker who gains access to data stored on these systems will likely have free reign, since no one in IT will be alerted when a breach happens.

Don’t Wait

Most startups wait until a crucial presentation vanishes after a laptop crash, a departed employee takes their IP with them, or worse, a massive security breach, until they take Shadow IT and data management seriously. Be proactive, and don’t wait for disaster to strike.

If you need any help choosing a good file sharing solution, migrating to a new one, drafting or editing a data management policy, or investigating compliance, don’t hesitate to reach out to Kinetix.