Posted by Rob Stevenson, CEO and Founder of Legal futures Associate BackupVault
When organizations’ staff start using online services independently without going through their internal IT team’s approval process, these online services become “shadow IT”.
Zoom, Slack, WhatsApp, and Signal are all examples of tools that can be adopted easily and often for free, but don’t necessarily meet enterprise security standards. But if staff feel that these services help them do their jobs more efficiently than company-approved tools, they will go ahead and use them on an ad hoc basis.
One of the early drivers of shadow computing was Dropbox. The file-sharing service proved so convenient for personal use that people started installing it on their work PCs, without checking that Dropbox met company security standards.
Once workers discovered how easy it was to start using the service, choosing it over company-approved services, the problem only got worse.
The pandemic has exacerbated the problem of shadow computing – unable to access their office networks, employees have been forced to find their own solutions while working remotely.
And as remote working remains popular, IT departments are now struggling to track which services staff are using, with serious implications for data security. Nowhere is this issue more critical than in the legal industry, as law firms deal with a large amount of sensitive data and any data loss or breach can have catastrophic consequences.
Shadow IT and data security
Cloud storage providers like Dropbox and Google Drive have servers all over the world, which can lead to a serious conflict of data protection laws. A Dropbox user cannot choose which server their data is stored on, so if a UK law firm uploads files to Dropbox and those files end up on a US-based server, the security of those files is immediately threatened.
Additionally, US law dictates that law enforcement must be able to access all files stored with a cloud storage provider. In short: your law firm could be breaking UK data protection law by using cloud storage providers that have servers around the world.
The Bar Council issued a warning about this as far back as 2016, stating, “Personal information may…be inadvertently disclosed to US authorities without your knowledge or consent. This happens when stored on computers that are directly or indirectly owned by US companies.
“This can happen in several ways: Cloud services (for storage of folders, emails and accounts); external hosting of room files (backup or disaster recovery) and room administration software.
The Bar Council has advised lawyers to check where legally privileged and confidential information is stored and whether a company that stores professional information has American affiliation – and whether it could be subject to the provisions of the US Patriot Act. He also said lawyers should consider encrypting access to data placed on external servers.
Shadow IT doesn’t just put data at risk. It also makes your law firm more vulnerable to cyberattacks in general.
If the services used by your staff are not secure, you have a larger “attack surface” than you might imagine, i.e. more points in your network where malicious actors can enter, damage your systems and ultimately threaten your business.
It should go without saying, but to properly secure your networks, you need to know all possible entry points. Shadow IT keeps you in the dark about vulnerabilities, so you need to investigate and act today.
How to solve the problem of shadow IT
Establish a culture of open communication in your law firm. Employees don’t turn to unapproved online tools because they want to put their data at risk. They choose services that are easy and efficient to use.
Allowing your employees to have a say in the selection process for enterprise software and applications will reduce the risk of shadow IT becoming an issue. If staff feel they can request the resources they need, they will be much less likely to seek their own solutions.
Provide regular training on cybersecurity and data protection. Make sure your colleagues understand that everyone is responsible for helping to protect sensitive data and that IT teams should always know where the data is stored.
Data spread across many SaaS applications that IT teams are unaware of is extremely vulnerable – data cannot be protected and backed up if no one knows where it is.
Finally, implement secure external backup if you haven’t already. The best backup solution for organizations dealing with large amounts of sensitive data is one that encrypts the data both during transfer and at rest.
For UK law firms, it is important that your backup service is also UK based only, to ensure there is no conflict of data protection legislation.