As we've discussed before, there are many roadblocks to a successful information governance project. One major issue not mentioned in that post is Shadow IT.
What is it?
Let's start by defining Shadow IT. According to Gartner, Shadow IT refers to IT devices, software and services outside the ownership or control of IT organizations. The proliferation of Shadow IT is likely due to the consumerization of business applications. Users are familiar with downloading and installing apps without needing help or consent from the IT department.
The average employee actively uses 30 cloud services, including eight collaboration services, five file-sharing services and four content-sharing services, according to a study from cloud security firm SkyHigh Networks.
What are the risks?
There are significant risks to many areas of an organization from Shadow IT including: intellectual property, compliance, data privacy, eDiscovery, and records retention. All of these risks are the exact things we are trying to mitigate with any information governance project.
This issue is unfortunately rather widespread: 45% of all applications used by organizations are in the cloud, but only half of those are visible to IT, according to a Ponemon Institute survey. Organizations have a difficult enough time governing and protecting their in-house data, and this Shadow IT multiplies the risks exponentially.
The good news is that legal professionals are aware of this potential landmine. According to a survey conducted by Consilio, 64 percent of legal technology professionals cited “inadvertent disclosure of sensitive data” as the biggest risk of using cloud-based applications. At the same time, 55 percent of respondents at law firms and in-house law departments revealed that workplace data stored on cloud applications is “often” or “almost always” considered in legal or investigatory matters.
Finally, it is critical to understand that even though your organization is not storing this data on a cloud service they "own", it will still be held liable for the information and any potential consequences were it to leak or be breached.
How do we fix this problem?
Similar to any other information governance project, we must assemble a team to address this enormous risk. A good place to start may be your company's general counsel. Since many of these risks deal with regulations and compliance, they will be particularly motivated to mitigate these issues. We must also include the records team and of course a key stakeholder from the IT department.
Step back and assess
Once a team has been assembled, the first step is to ensure we have a complete view of all of the places company data could be living. It is crucial to know what types of records are being stored, if any protection processes are in place as well as who has access to this data. This will be a difficult step since these cloud applications may or may not be sanctioned by the organization.
It is important to impress upon all employees the seriousness of this information governance project as their cooperation will be necessary. Luckily, there are technologies that can assist with this Shadow IT assessment. The key here is to understand the true scope of the data and where it is moving, paying special attention to sensitive information.
Remember, completeness is more important than swiftness in this step as it sets the table for the remainder of the project.
Create the new rules
Once the extent of the Shadow IT lurking in your organization has been discovered, it is time to set the new rules and processes to address it. The key consideration here will be to balance stringency with usability. While protecting sensitive records is clearly the goal, overly complicated workflows will be the undoing of any information governance project. This is why we here at RecordLion believe in automation at every step.
Below are 8 simple rules to get started:
Clearly establish ownership of compliance and data privacy
Assess the process for any information shared outside the organization
Identify any Personally Identifiable Information (PII) and create appropriate business processes that include IT, legal and the records management team
Ensure policies are in place to meet federal, state, local and industry regulations
PII must be limited not only by user but by location
Clean up ROT data based on an approved retention schedule
Use encryption techniques whenever possible
The ability to have audit trails, logging and monitoring is essential to defensible disposition
Along with the rules will be the decision on which apps will be allowed. If you find for example, that many employees are using Dropbox, it may make sense to allow this app to be used going forward under the control and supervision of the IT and legal departments.
Clearly communicate the plan
Of course, these rules will be useless if they are not properly communicated throughout the organization. The team should develop a plan for the announcement and subsequent follow ups needed to ensure compliance.
At this stage, it would be pertinent to involve stakeholders from every department as they will help to inform their teams as well as spot any potential issues the new policies could produce. Since every department may have different processes when it comes to records, this involvement is critical. Additionally, having the message come from someone within their own department will make it more relatable.
Like any information governance project, ongoing monitoring and improvement will ensure success. As the way the company interacts with various types of data changes, the policies must adapt as well.
Continued training and enforcement of these policies must also be a part of the future. They must be included in new employee training, annual reviews, and other visible areas within the organization. The end goal of this project is to have a positive and productive relationship with our data. A company's expanse of data should always be an asset, not a liability.
By Shawn Cosby