When we think of cybercrimes we often think of criminals hacking into a network to retrieve sensitive corporate information.  But cyberattacks and the leaking of information can also occur from within an organization in the form of Shadow IT and Shadow Data.

Shadow IT and Shadow Data are usually functions of cloud applications being used or shared without permission from the IT department.  In some cases, the information may be leaked from an unhappy employee trying to discredit their company or by a staff member sharing information with vendors and other outside entities without the expressed permission of their organization.

Whether or not the information is shared or leaked maliciously, both Shadow IT and Shadow Data pose serious disruptions to organizations.

Shadow IT: When users go rogue with cloud apps

Shadow IT refers to the use of applications that are “not under the control of either an external or internal IT function,” according to CSO, or in other words, unapproved applications being used by company staff for company operations. An example would be an employee using a personal Dropbox account to store sensitive company data. As cloud computing becomes ubiquitous, CSO writes that easily accessible online website tools may entice employees to utilize such applications without corporate permission.

According to Network World, as much as 80% of IT pros report that their colleagues have gone behind their back to “set up unapproved cloud services and 38% write that their end users have done this five or more times.”

The risk of Shadow IT is that unauthorized applications do not implement the same controls and security measures that IT pros perform on company approved applications – and many cloud-based applications can be vulnerable to attack if not vetted properly.  This can have far-reaching implications especially in organizations that must meet strict compliance issues.  According to CSO, “Executive teams go to great lengths to instill proper risk mitigation procedures with the likes of ISO 27001 information security management certification to demonstrate that they are managing the risk for both themselves and their customers.”

Shadow Data – the trail of data breadcrumbs left behind:

Shadow Data includes “all the sensitive content that users upload, store and share via the cloud, whether they use shadow IT or permitted apps,” according to Computer Weekly.  It is made up of tiny pieces of data left on the internet through everyday Internet acts of use. Each of these tiny pieces of data, tracked through sensors, IP surveillance, and metadata, helps hackers and other cyber criminals paint a picture of a user or organization that might otherwise have been inaccessible.

Symantec reports that Shadow Data can be created when an individual sends an email, updates a social media profile, swipes a credit card, and more. This is a serious concern as it “…as it is difficult to control who actually looks at an individual’s shadow data, what conclusions they are drawing,” writes Symantec.

Shadow Data happens when business administrators “fail to adequately oversee how employees handles sensitive corporate data,” reports Network World.  Many organizations try to combat this issue by cracking down on Shadow IT as well as any unsanctioned devices that employees may be using.

As more companies take a liberal approach to cloud provisioning, they need to make sure that all applications – including vetted ones “…are carefully secured, optimized and monitored,” writes Network World.

So how can your company prevent Shadow IT and Shadow Data? Network World and other experts suggest the following:

  • Draft corporate policies on Shadow IT and educate employees on the risks of using unsanctioned cloud-based applications.
  • Draft corporate policies as well as educate employees on how data can be shared.
  • Encrypt resting data – if the data is in fact shared or stolen, it will be harder for the perpetrator to discern.
  • Ensure applications are meeting with corporate IT security standards to ensure industry compliance.
  • Implement multifactor authentication.
  • Maintain a unified catalog of approved cloud applications.
  • Secure employee mobile devices.
  • Conduct regular policy compliance audits


It is important to be vigilant in training and educating employees on the proper use of applications and data. Contact DiamondIT at 877-716-8324 to learn more about security training, assessment and implementation services to build your lines of defense and prevent the widespread use of Shadow IT and Data.