For years, companies have been struggling to understand the multitude of locations where their data resides. From traditional employment files with embedded Social Security numbers, to new-aged hiring software with videos of job applicants, and enterprise software used to facilitate employee communications, controlling employee, customer, and corporate data is, to say the least, a logistical challenge. One of the newest entries into the mix is the increased use of ShadowIT and cloud-based storage systems.

ShadowIT involves workers’ use of unsanctioned products and applications to perform the work of the business enterprise. In other words, ShadowIT occurs when employees use their personal emails and applications, such as a cloud-based storage system, instead of company-approved solutions. According to a recent survey, about one-third of IT use is considered ShadowIT. Whether responding to a subpoena in a wage and hour dispute, attempting to safeguard previous corporate secrets, or analyzing the extent of a data breach, a company’s failure to understand the scope and location of ShadowIT data could be problematic. Companies should have policies in place regarding employees’ (and other workers’) use of unapproved applications, but there should also be an understanding that a policy is not a panacea.

For data storage, recent studies show that most organizations are using over 1,000 cloud-based services. Indeed, one such study found that an average organization had 1,154 cloud services in use. This large number demonstrates that companies must manage the sheer volume of data in the cloud or potentially be exposed to liability.

Companies must also think about physical storage when a laptop or a phone is stolen and suddenly control over data on that item is lost. One leaked file in California, for example, could require a company to send out a data breach notification to millions of customers in California (an issue magnified under varying state laws as well in the current landscape). No overall system is perfect for this task, and the idea that company data can be completely controlled may be an illusory one, but there are important issues for companies to consider and sensible steps that they should take to safeguard data, including the following:

  • Survey ShadowIT Usage. Companies should consider conducting anonymous data audit surveys of employees to find out what other applications or products employees are using to perform their jobs. The company can then review its IT department to determine if it lacks the functionality for a certain program or if the problem of unsanctioned product use is simply a result of a lack of employee education as to the sanctioned products available to employees.
  • Manage ShadowIT Usage. Employees using ShadowIT or unsanctioned products create control risks for companies, and employers may consider disciplining employees for not following corporate policies on approved applications. On the other hand, having draconian disciplinary measures in an effort to maintain control over data will not necessarily stop ShadowIT use but may force it deeper undercover. Discipline could also have an adverse impact on employee engagement and retention.
  • Consider “Amnesty.” Companies should consider whether it makes sense to implement a time-limited policy, whereby employees can bring their unapproved software or application to the IT department to see if the program can be moved onto an approved list from the corporation, without the threat of discipline or sanction.
  • Review Vendor Contracts. Companies should review their contracts with vendors for approved cloud-based products and software. This may include auditing other cloud-based companies where data is stored to ensure that the company is adhering to best practices of network security. The contracts should contain data breach notification clauses, as well as indemnification agreements, when possible.
  • Train Workforce. Frequently, employees are the “weak link” in data control efforts, as they are often the cause of a data breach into a company’s secure network. Training employees about how to spot scam phishing emails and protect intellectual property can go a long way toward mitigating that risk.

Technology is constantly evolving such that there will always be a new product or service that could potentially be a benefit to employee productivity. A ShadowIT survey, while helpful, is only a look back in time. Companies need a way to address ShadowIT use as it evolves going forward. A company prohibition on ShadowIT without some method for employees to submit new products for consideration without fear of reprisal keeps the company in the dark about its data. Companies must also be mindful of the other cloud-based providers’ security protocols and the likelihood that a third party could accidently let sensitive data out into the public domain.

A version of this article originally appeared in the Take 5 newsletter “Five Trending Challenges Facing Employers in the Technology, Media, and Telecommunications Industry.”

Back to Workforce Bulletin Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Workforce Bulletin posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.