Everything the light touches is blessed by IT. Don’t go to the shadowlands!
While it seems trite, that is actually a pretty helpful way to think about and understand “shadow data.” So, what is shadow data? It’s the information owned by an organization that gets stored outside of the protected locations recommended by the IT and Security departments. It’s stuff that’s in the shadows.
What is Shadow Data Protection?
Shadow Data Protection is the various strategies, backup solutions, and data visibility solutions that help minimize the risk of shadow data to your organization.
Shadow data presents a couple significant risks to your organization in the form of data loss and data leak. To learn more about those risks, watch our video on the topic. In this post, we’re going to talk about how to protect your organization from shadow data.
How to Protect Against Shadow Data
As with everything in data security, there is no single silver bullet to solving the problem of shadow data. It will be created, and it does exist in your organization today. But with these simple security practices, you can significantly decrease the likelihood of users creating shadow data and lessen the impact to your organization when they do.
Tactic 1: User Education
Educating users about the risks of storing data outside of sanctioned solutions is a vital first step to shadow data prevention and risk mitigation. You can include information on why it’s important to store data in supported systems in broad-scale security awareness training or in a stand-alone message from your IT team.
Alongside simply saying “don’t do this,” it is important to make clear to users why shadow data presents a problem to the organization and to the user personally. It’s also key to do this in words users can easily understand without resorting to deep technical jargon.
Training in the onboarding process and in regular ongoing security training for existing team members is also highly recommended. If that seems like too much, a one-off email is a great first step.
Tactic 2: Device Backup
When you’ve got a problem with employees storing data on endpoints, a great way to protect organizational data is to back up those endpoints.
Data backup takes what had been a single point of failure (the endpoint) and automatically creates an additional copy. There are numerous solutions on the market which will collect and securely store all user-generated files from laptops and desktops. This way, when a laptop suddenly dies, it won’t matter if the user remembered to upload the latest sales forecast document to the CRM; it’s available for restore in a couple seconds.
Tactic 3: Data Visibility
As GI Joe said, “knowing is half the battle.” This is equally true for shadow data as it is with addressing the activities of Cobra.
You need to know where your data is and where it’s going. The way to know that information is through implementing an Insider Risk Management or Data Loss Prevention solution that can monitor, centralize, and alert on information about where your organizational data is moving. This way, your IT and security teams can know when important data moves outside of sanctioned platforms and reach out to the user responsible.
Tactic 4: User Conversations and Amnesty
Regardless of whether you have a robust data visibility solution like the one outlined above, every time your IT or Security team becomes aware of a user resorting to creating shadow data is an opportunity to improve.
A great way to approach the conversation with a user who is leveraging shadow data is to calmly ask them about the problem they are looking to solve by storing data that way. It is very unlikely that they are subverting the process merely because they want to. This conversation will either open the door to being able to educate the user about the approved and secure method for accomplishing their business objective or, it will lead to a better understanding of the business needs of the user’s role. Either path leads to a more positive outcome.
If you can’t implement broad-scale data visibility, a great way to gain insights into where shadow data exists in your organization is to ask your users and offer amnesty for self-reported instances. This, combined with user interviews, will both make your organization more secure and increase positive relationships between users and your IT and security teams.
Shining a Light on Shadow Data Prevention
Protecting your organization from shadow data is both simpler and more difficult than you would expect. While you’re never going to completely stop it, using these four simple tactics can help you tackle your shadow data problem and prevent it from causing your organization headaches in the future.
We’ve got your back(up)
By automatically collecting all important data and securely centralizing it for IT and Security teams, it’s possible to allow users to work how they see fit on their devices while still protecting organizational data from loss or ransom. See which CrashPlan works for you with our plan comparison. Kick-start your journey out of the shadows with a free trial.
About the Author
