Posted by Rob Stevenson, CEO and founder of Legal Futures Associate BackupVault
When staff in organisations start using online services independently without following their in-house IT team’s approval process, those online services become ‘shadow IT’.
Zoom, Slack, WhatsApp and Signal are all examples of tools that can be adopted easily and often free of charge, but that don’t necessarily meet business security standards. But if staff feel these services help them complete their work more efficiently than business-approved tools, they will go ahead and use them in an ad hoc fashion.
One of the earliest drivers of shadow IT was Dropbox. The file-sharing service proved so convenient for personal use that people started installing it on their workplace PCs, without checking that Dropbox met company security standards.
Once workers discovered how easy it was to start using the service, choosing it over company-approved services, the problem only grew.
The pandemic exacerbated the issue of shadow IT – unable to access their office networks, staff were forced to find their own solutions while working remotely.
And as remote working remains popular, IT departments are now finding it difficult to keep track of the services staff are using which has serious implications for data security. Nowhere is this issue more critical than within the legal sector, as law firms handle a vast amount of sensitive data and any data loss or breach can have catastrophic consequences.
Shadow IT and data security
Cloud storage providers like Dropbox and Google Drive have servers all over the world, which can lead to a serious conflict of data protection law. A Dropbox user cannot choose which server their data is stored on, so if a UK law firm uploads files to Dropbox and those files end up on a US-based server, the security of those files is immediately at risk.
What’s more, US legislation dictates that law enforcement agencies must be able to access any files stored with a cloud storage provider. In short: your law firm could be breaking UK data protection law by using cloud storage providers that have servers around the world.
The Bar Council issued a warning about this as far back as 2016, stating: “Personal information can… be inadvertently disclosed to the US authorities without your knowledge and agreement. This occurs when it is stored on computers which are owned directly or indirectly by US corporations.
“There are a number of ways this can happen: Cloud services (for storage of case files, emails and accounts); external hosting of chambers’ files (back up or disaster recovery) and chambers’ administration software.”
The Bar Council advised barristers to check where legally privileged and confidential information was stored and whether any company which stored professional information has US parentage – and if they could be subject to the provisions of the US Patriot Act. It also said barristers should consider encrypting access to data placed on external servers.
Shadow IT does not just put data at risk. It also makes your law firm more vulnerable to cyber-attacks overall.
If the services your staff are using are not secure, you have a greater ‘attack surface’ than you realise – ie, more points in your network where malicious actors can gain entry, damage your systems and ultimately threaten your business.
It should go without saying, but to properly secure your networks, you need to know every possible entry point. Shadow IT keeps you in the dark about vulnerabilities, so you need to review and act today.
How to address the problem of shadow IT
Establish a culture of open communication in your law firm. Staff don’t turn to unapproved online tools because they want to put data at risk – they choose services that are easy and efficient to use.
Allowing your employees to have a say in the selection process of company software and applications will reduce the risk of shadow IT becoming a problem. If staff feel they can ask for the resources they need, they will be far less likely to seek their own solutions.
Provide regular training on cyber-security and data protection. Ensure colleagues understand that everyone is responsible for helping to protect sensitive data and that IT teams must always know where data is stored.
Data spread across lots of SaaS applications that IT teams are not aware of is extremely vulnerable – data cannot be protected and backed up if no one knows where it is.
Finally, implement secure external back-up if you have not done so already. The best back-up solution for organisations that deal with large amounts of sensitive data is one that encrypts data both during transfer and at rest.
For UK law firms, it’s important that your back-up service is based solely in the UK too, to ensure that there can be no conflict of data protection legislation.
Leave a Comment