Shadow IT Surge Poses Growing Threat to Corporate Data Security

 

It was recently found that 93% of cybersecurity leaders have deployed generative artificial intelligence in their organizations, yet 34% of those implementing the technology have not taken steps to minimize security risks, according to a recent survey conducted by cybersecurity firm Splunk, which was previously reported by CFO Dive. 

In the coming years, digital transformation and cloud migration will become increasingly commonplace in every sector of the economy, raising the amount of data businesses must store, process and manage, as well as the amount of data they must manage. Even though external threats such as hacking, phishing, and ransomware are given a great deal of attention, it is equally critical for companies to manage their data internally to ensure data security is maintained. 

In an organization, shadow data is information that is not approved by the organization or overseen by it. An employee's use of applications, services, or devices that their employer has not approved can be considered a feature (or a bug?) of the modern workplace. Whether it is a cloud storage account, an unofficial collaboration tool, or an unsanctioned SaaS application, shadow data can be generated from a variety of sources. 

In general, shadow data is not accounted for in the security and compliance frameworks of organizations, which leaves a glaring blind spot in data protection strategies, which is why it poses the biggest challenge. A report by Splunk says, “Such thoughtful policies can help minimize data leakage and new vulnerabilities, but they cannot necessarily prevent a complete breach.” However, they can help minimize these risks. 

According to the study by Cyberhaven, AI adoption has been so rapid that knowledge workers are now putting more corporate data into AI tools on a Saturday and Sunday than they were putting into the AI tools during the middle of last year's workweek on average. This could mean that workers are using AI tools early on in the adoption cycle, even before the IT department is formally instructed to purchase them. 

The result would be the so-called 'shadow AI,' or the use of AI tools by employees through their accounts that are not sanctioned by the company, and maybe no one is even aware of it. Using AI in the workplace is gaining traction. The amount of corporate data workers are putting into AI tools has jumped by 485% from March 2023 to March 2024, and the trend is accelerating. There are 23.6% of tech workers in March 2024 who use AI tools for their work (the highest rate of any industry). 

It is estimated that only 4.7% of employees in the financial sector, 2.8% in the pharmaceuticals industry, and 0.6% in manufacturing industries use AI tools. The use of risky "shadow AI" accounts is growing as end users outpace corporate IT. There are 73.8% of ChatGPT users who use the application through non-corporate accounts. 

However, unlike enterprise versions of ChatGPT, the enterprise versions incorporate whatever information you share in public models as well. According to the data, the percentage of non-corporate accounts is even higher for Gemini (94.4%) and Bard (95.9%). AI products from the big three: OpenAI, Google, and Microsoft accounted for 96.0% of AI use at work. Research and development materials created by artificial intelligence-generated tools have been used in potentially risky ways currently. 

In March 2024, 3.4% of the materials were created by artificial intelligence-generated tools, which could potentially create a risk if patented materials were included. As a result, 3.2% of the insertions of source code are being generated by AI outside of traditional coding tools (which are equipped with enterprise-approved copilots for coding), which can potentially place the development of vulnerabilities at risk. 

In terms of graphics and design, 3.0% of the content is generated using AI. The problem here is that AI can be used to produce trademarked material which can pose a problem. IT administrators, security teams, and the protocols that are designed to ensure security are unable to see shadow data due to its invisibility. The fact that shadow data exists outside of the networks and systems that have been approved for data protection means that it can be bypassed easily by any protection measures put in place. 

The risk of a breach or leak when data is left unmonitored increases and does not only complicate compliance with regulations such as GDPR or HIPAA but also makes compliance with data protection laws harder. As such, an organization is not able to effectively manage all of its data assets due to an absence of visibility, resulting in a loss of efficiency and a risk of data redundancy. Shadow data poses various security risks, which include unauthorized access to sensitive data, breaches in data security, and the potential for sensitive information to be exfiltrated. 

Shadow data can be a threat from a compliance standpoint because it only requires a minimal amount of protection from inadequacies in data security. Furthermore, there is an additional risk of data loss when data is stored in unofficial locations, since such personal data may not be backed up or protected against deletion if it is accidentally deleted. The surge in Shadow IT poses significant risks to organizations, with potential repercussions that include financial penalties, reputational damage, and operational disruptions. 

It is crucial to understand the distinctions between Shadow IT and Shadow Data to effectively address these threats. Shadow IT refers to the unauthorized use of tools and technologies within an organization. These tools, often implemented without the knowledge or approval of the IT department, can create substantial security and compliance challenges. Conversely, shadow data pertains to the information assets that these unauthorized tools generate and manage.

This data, regardless of its source or storage location, introduces its own set of risks and requires separate strategies for protection. Addressing Shadow IT necessitates robust control and monitoring mechanisms to manage the use of unauthorized technologies. This involves implementing policies and systems to detect and regulate non-sanctioned IT tools, ensuring that all technological resources align with the organization's security and compliance standards. 

On the other hand, managing shadow data requires a focus on identifying and safeguarding the data itself. This involves comprehensive data governance practices that protect sensitive information, ensuring it is secure, regardless of how it is created or stored. Effective management of shadow data demands a thorough understanding of where this data resides, how it is accessed, and the potential vulnerabilities it may introduce. Recognizing the nuanced differences between Shadow IT and Shadow Data is essential for developing effective governance and security strategies. 

By clearly delineating between the tools and the data they produce, organizations can better tailor their approaches to mitigate the risks associated with each. This distinction allows for more targeted and efficient protection measures, ultimately enhancing the organization's overall security posture and compliance efforts.