Glossary Terms

What is shadow data?

What is shadow data?


Shadow data is the name for organizational information which is digitally stored outside of sanctioned systems. There are lots of situations that can result in shadow data. A common example is when well-intentioned employees move data from one system or format into another one that is easier for them to work with. It can also be created on an organizational level. For example, when data is copied to a test environment or is migrated to the cloud, if the unused data is never cleaned up and removed, it becomes shadow data.

Shadow data can take the form of structured data (e.g. spreadsheets, databases, etc.) or unstructured data (e.g. Word documents, emails, photos, etc.). It can be saved on endpoints, mobile devices, in personal SaaS solutions, or even cloud storage. It also presents a significant risk to data security for your organization.

Why is Shadow Data Dangerous?

Regardless of user intent, shadow data opens your organization up to a host of risks. These risks can be distilled into two categories; risk of loss and risk of leak.

Risk of Loss 

Data being outside of sanctioned IT systems means that it is inherently more likely to disappear.

A core reason for leveraging supported systems is their inclusion in an organization’s Business Continuity (BC) and Disaster Recovery (DC) plans. Protected systems will have specific backup systems or other forms of data resiliency in place which limit the possibility that a single failure or mistake will result in lost data. Meaning that, when a system goes down or gets hacked, the organization has the ability to either recover impacted data directly or receive financial compensation for the loss of important information (typically through insurance).

By storing data in places outside of those protected by the BCP and DR plans (such as endpoints or personal cloud solutions), a simple hardware failure or employee departure could result in the loss of large amounts of vital information without the ability for the organization to recover it.

Risk of Leak 

Just like with the risk of loss, data existing outside of systems sanctioned by the organization is more likely to be leaked or stolen.

Put simply: the average end-user has worse data security hygiene than the average centralized IT organization. As a result, every piece of information that gets stored outside of the protected bubble of corporate-sanctioned systems is that much more vulnerable to hack, theft, or ransom. As an example, data stored in an unsanctioned consumer cloud solution is easier to unintentionally share and is more vulnerable to hacking due to a lack of enforced password or multi-factor authentication (MFA) policies.

How to Protect Against Shadow Data?

As with everything in data security, there is no single silver bullet to solving the problem of shadow data. It will be created and it does exist in your organization today. That said, here are a few simple security practices that can significantly decrease the likelihood of users creating shadow data and lessen the impact on your organization when they do.

User Education 

Educating users about the risks of storing data outside of sanctioned solutions is a vital first step to decreasing your shadow data problem. You can include information on why it’s important to store data in supported systems in broad-scale security awareness training or in a stand-alone message from your IT team.

Alongside simply saying “Don’t do this” it is important to make clear to users why shadow data presents a problem to the organization and to the user personally. It’s also key to do this in words users can easily understand without resorting to deep technical jargon.

It’s recommended you include this training both in the user-onboarding process and in regular ongoing security training for existing team members. If that’s too much to bite off, a one-off email is a great first step.

Device Backup 

When you’ve got a problem with people storing data on endpoints, a great way to protect organizational data is to back up those endpoints.

Data backup takes what had been a single point of failure (the endpoint) and automatically creates an additional copy. There are numerous solutions on the market that will collect and securely store all user-generated files from laptops and desktops. This way, when a laptop suddenly dies, it won’t matter if the user remembered to upload the latest sales forecast document to the CRM; it’s available for restore in a couple of seconds.

Data Visibility 

As GI Joe said, “Knowing is half the battle.” This is equally true for shadow data as it is with addressing the activities of Cobra. You need to know where your data is and where it’s going. The way to know that information is through implementing an Insider Risk Management or Data Loss Prevention solution which can monitor, centralize, and alert on information about where your organizational data is moving. This way, your IT and security teams can know when important data moves outside of sanctioned platforms and reach out to the user responsible for a chat. 

User Interviews and Amnesty 

Regardless of whether you have a robust data visibility solution like the one outlined above, every time your IT or Security team becomes aware of a user resorting to creating shadow data is an opportunity to improve.

A great way to approach the conversation with a user who is leveraging Shadow Data is to calmly ask them about the problem they are looking to solve by storing data that way. It is very unlikely that they are subverting the process merely because they want to. This conversation will either open the door to being able to educate the user about the approved and secure method for accomplishing their business objective or, it will lead to a better understanding of the business needs of the user’s role. Either path leads to a more positive outcome.

If you can’t implement broad-scale data visibility, a great way to gain insights into where shadow data exists in your organization is to ask your users en masse and offer amnesty from repercussions for self-reported instances. This, combined with user interviews, will both make your organization more secure and increase positive relationships between users and your IT and security teams. 


We’ve got your back(up)

With CrashPlan, find the perfect data backup and recovery solution with our plan comparison. Kick-start your journey with a free trial.

Get Started

Related Glossaries
View all
What is deduplication?
August 2, 2024
Read more
What is BaaS (backup as a service)?
August 2, 2024
Read more
What is cloud encryption?
July 1, 2024
Read more
What is business continuity?
December 6, 2023
Read more

CrashPlan® provides peace of mind through secure, scalable, and straightforward endpoint data backup. We help organizations recover from any worst-case scenario, whether it is a disaster, simple human error, a stolen laptop, ransomware or an as-of-yet undiscovered calamity.

© 2024 CrashPlan® All rights reserved.