Shadow IT and File Sharing

For a long time now, email has been the way firms share documents. It is an easy to use and ubiquitous technology. Sending a document as an email attachment with track changes has been a long-standing means of document collaboration.

Email does not, however, always provide a solution.

What if a user wants to access a document when there is no-one at the other end? What if a user wants to access their own documents but they’re out of the office? What if two firms want to share a hundred documents?

Email is not the right tool at all under these scenarios.

Furthermore, it is easy for emails to get lost amongst the day’s inbox arrivals. Many firms impose limits on the size of file attachments. There are often several iterations of the document in circulation, with file names growing as everyone adds their initials and dates and different versioning numbers.

Email is a “push” technology; that is, one that relies on a sender to initiate the process. It is also a low volume technology. It is, however, a technology that is under the control of a firm’s IT department or service provider and subject to attendant security standards.

The next step up in the evolution of file sharing came with VPN technology. A firm could set up a VPN – Virtual Private Network – which would allow external users the ability to log into a firm’s corporate network, remotely over the internet, and access documents from a secure and ring-fenced area on a traditional file server hosted by the firm.

Here, again, the technology and its implementation were in the control of the firm’s IT department.

However, VPNs can be cumbersome to use and require in-house or outsourced staff to set up and maintain. Budget, resource, training and business cases can also make the management implementation of such services cumbersome as well.

Nowadays, however, we live in a world of consumerised IT, exemplified by mobile devices, apps and cloud-based services.

GRC Insight has previously looked at the ramifications of mobile devices under the Bring Your Own Device (BYOD) umbrella and the potential security risks implicit in such technologies and approaches.
Running parallel to BYOD debate has been its flip-side; the emergence of Shadow IT.

Shadow IT is loosely defined as the use of IT systems within a firm without the approval, or even the knowledge, of the firm’s IT.

This unsanctioned IT trend is strongly associated with users, dissatisfied with the functionality or flexibility of a firm’s existing IT infrastructure, taking matters into their own hands.

This behaviour is, to a certain extent, encouraged by the technology providers themselves. Dropbox is one of the most successful file sharing services, and last year at TechCrunch in San Francisco, its CEO made it clear that Dropbox leverages sales off the back of employees’ shadow IT implementation.

Unfortunately, such un-policed and often domestic grade implementations open risks of a similar magnitude to BYOD, exacerbated by its stealth nature from the IT department’s perspective.

The risks are straightforward enough; lack of data control, potential for data leakage, insecure endpoints such as mobile phones, poor configuration at provider level and poor security practices. None of these are new, but without some sort of IT oversight, they are magnified.

This is now familiar story, one of developing technologies, changing user expectations and, quite possibly, a prohibitionary attitude taken by under-resourced IT departments.

It is, however, a story that will not go away, and firms need to accept and embrace these new technological powers wielded by rank and file users,

It is important that the requirements be precisely scoped out and that usage is restricted and policed.
There is, of course, no reason why users need use public cloud services in the first place. Most IT providers will field some sort of managed private file sharing application, and whilst Dropbox may not sell you its software to run at your datacentre, many vendors including Citrix and VMware do.

Without necessarily going to the extent of hosting your own solution, third party enterprise providers will often allow a firm to dictate the geographical location of data centers to protect against jurisdictional infringements.

And of course, these corporate-focused services offer many enterprise features such as encryption, digital rights management, data loss protection and remote file wiping.

By engaging with the technology and training staff in its use, there is no reason why shadow IT should develop in this area, and no reason why careful data management and deletion procedures should not bring security risks back down within a firm’s tolerance levels.

So if you need to share files with a third party or collaborate on a document from a remote location, you would be wise to consider buying into the trend for cloud file sharing services before your employees go their own way. Your IT service provider will be happy to hear from you and your firm’s and third-party collaborators’ data will be a lot safer.