Cybersecurity is a top-line issue for businesses because bad actors are always looking for new ways to access data. Most businesses have safeguards in place, but often, security policies do not address shadow data. To better understand the issue, let’s start by defining shadow data.
Data is generated every time you use the internet, no matter what you are using it for. That data is usually tracked and collected by the websites you visit, the social media you use and so on. The data is sorted and used to create a user profile — a snapshot of your likes, dislikes, habits, activities and other information gleaned from your internet use. Even when personal data such as your name and address is not attached, advertisers, news outlets and other content providers are able to use your user profile to tailor what you see — including product recommendations and items in your newsfeed — on the various internet channels you visit. Such data is called shadow data.
The threat of shadow data
Shadow data falls outside business’s security controls and policies because the data comes from outside the business’s normal operations. Examples of where this data originates include employees’ personal devices, data duplication services such as cloud storage, applications such as Slack, software programs that are unsupervised by the company’s IT department and data breaches.
Often, shadow data is created innocently. For example, a department may use unapproved software to accomplish an important task or an employee may copy a sensitive document to their personal cloud storage account for easier access when working from home. Legacy applications and information gathered as part of competitive analyses are also good examples of data that may become shadow data. These apps and files contain sensitive information, but no one refers to them any longer so they lie dormant at their storage locations unless/until they are intentionally deleted.
Any of these examples can create shadow data and cybersecurity risks.
Addressing shadow data
Companies need to be proactive to combat the risk posed by shadow data. Cybersecurity policies and procedures should address the following four areas:
1. Data discovery and classification. Select software that offers end-to-end encryption, supports a range of file types, allows customizable classifications, has automated tagging, offers activity tracking, allows different secure locations and complies with industry-specific regulations.
2. Access controls and permissions. Require both multifactor authentication and single-user sign-on and regularly monitor activity. Implement policies and procedures that limit access to data — for example, by letting only supervisors change data that is already in the system. Regularly audit these permissions to be sure they still are accurate and appropriate.
3. Education and training. Offer education and training regarding shadow data, including that following the company’s data policies and procedures helps prevent the creation of shadow data and safeguards data from breaches.
4. Incident response training. Have a plan in case there is a data breach or security incident. This plan should be quite detailed. In addition to providing a report and response hierarchy, the plan should outline specific procedures for spotting and containing any breaches.
Develop comprehensive data security policies that address data classification, storage, sharing, retention and disposal. Assign responsibility for policy enforcement to specific individuals or teams and establish clear consequences for noncompliance.