Skip to main content

Shadow IT: The struggle to protect corporate information in the face of growing data fragmentation

How real are the dangers posed by the rise of the bring-your-own phenomenon and data fragmentation and how can businesses become more security-conscious? We chatted with Matthew Ravden, chief strategy officer at Mimecast, to learn more about the issue.

What are the biggest pain points for IT managers when it comes to managing corporate data?

IT departments are struggling to protect and manage their businesses' data due to the fragmentation of information across their network, workgroup systems, public cloud services and storage. We are seeing the problem compounded by departments, workgroups and individual users taking data storage into their own hands without consulting the IT department. This creates a 'Shadow IT' network outside of the IT department's control which means important data could potentially be lost and security risks increased.

What is Shadow IT?

Shadow IT is a term often used to describe the emerging threat of corporate data being shared and stored using systems and applications outside the control of IT. Shadow IT is often made up of consumer-grade services that do not conform to an organisation's requirements for data loss prevention, audit trail, security and reliability.

For the IT manager, Shadow IT refers to all devices, services and software used by employees outside the policies of the organisation. These create a vast amount of unsecured and uncontrolled data. We see it as a threat, always present in the background – like locking up your home but leaving the garage door wide open.

What are the risks of Shadow IT?

The risks associated with Shadow IT are multiple but they fall in to two distinct areas:

First, growing data fragmentation makes finding and accessing the right information at the right time difficult or impossible. This, in turn, hampers business management and decision-making since any data stored outside of an organisation's official IT estate falls outside business intelligence and analytics processes, as well as any eDiscovery capability.

The second threat is to security. With data fragmented across solutions with vastly differing levels of protection and auditability the organisation is vulnerable to employees taking data with them when they leave. It also paves the way for data breaches, which are not only far harder to prevent when data is stored in Shadow IT but also near impossible to detect.

What is causing the issue?

The carefully controlled information management environment IT managers work so hard to create is under threat from all directions. Recent research from Freeform Dynamics (opens in new tab), commissioned by Mimecast, shows that while 'Bring Your Own Device' (BYOD) has been getting a lot of press, data fragmentation is equally worrying – and potentially more damaging. Data can sit across SharePoint, PSTs and stored locally on desktops, C: drives, mobile devices and – most dangerous of all – in end-users' personal clouds. This has created a fragmented data environment where it is extremely difficult for IT to control and secure their organisation's data.

Shadow IT often also leads to shadow expenditure, where employees pay for consumer services with their credit card and expense it. These transactions are near-impossible to detect and happen without the authorisation of IT managers. In this case, not only have IT managers lost control of their data, but also their IT budgets.

Ultimately, the employee is at the heart of this issue; using multiple applications and devices, often without the IT manager's knowledge. You can understand why they do it; they want to be able to use the same applications and embrace the same 'sharing' culture at work that they do in their personal lives. They also sometimes feel forced to use consumer-grade tools because of the restrictions placed on them by IT, including the size of files that can be sent via the corporate email system. Of course, most employees are not conscious of the risk – they just want to use a fast and easy service which will help them get their job done. As well as identifying the potential third-party services used, IT managers need to educate users on the risks involved, in order to ensure corporate policies are respected.

What role do cloud services play?

We are seeing IT leaders increasingly turning to cloud services such as Mimecast's to help them control data fragmentation. Enterprise-grade, but user-friendly cloud services enable IT managers to retain full and centralised policy control by integrating new devices and software. They also empower end-users, for instance allowing them to securely send and receive large files through the existing company email systems – without the need for third-party software, without clogging up storage and without putting undue strain on the Exchange server. At Mimecast, we build cloud services that can archive data from a broad range of data sources including file shares, local folders, SharePoint, Dropbox and Box, so everything is under the control of IT, in a single archive.

Cloud services can also provide secure access to all data sources from common applications or from any mobile device, making sure users can get their data where they need it without leaving the safety of the organisation's IT system. With Mimecast, employees can access data during on-premise service disruptions and within the boundaries of the corporate network.

What role does email play in the problem?

Despite the naysayers predicting the death of email for years, it is still the main tool we use to communicate on a daily basis – at home and at work. Freeform Dynamics' research found that 92 per cent of respondents see email as a common means of storing and sharing critical data within corporations, and 62 per cent say that local offline email stores – for example, PSTs on desktops - are frequently used for storing business information.

But email can also be a hindrance to business collaboration if not managed and structured correctly to protect data and allow employees to share information. That is why cloud services are so important – but only if integrated appropriately into an organisation's IT policies and procedures.

What business impact is increasing information or data fragmentation having?

We believe that ever more businesses are beginning to understand the value of the data held within their own company and the benefits that the intelligent use of data can bring. Data fragmentation prevents businesses from unlocking the power of their data. If you are unable to locate important data, or you are unaware that crucial datasets are missing from your systems, then any attempt at data analytics will be fundamentally flawed.

In addition to you not being able to use your organisation's data positively, increased fragmentation increases the likelihood that it might be used against you. Data stored in consumer-grade systems outside of the secure environment set up and monitored by the IT team will never be protected as effectively and is therefore far more likely to be compromised.

How can IT managers raise the profile of the issue in their company/with employees?

Today's CIOs are no longer simply managers of IT real estate. They are becoming custodians of corporate data, with increasing amounts of their physical infrastructure being relocated to the cloud to be managed by third parties. This means that the CIO's primary focus is now securing their organisation's data, storing and managing it cost effectively and then making it work harder for both end users and the business as a whole.

As we've seen, the growing prevalence of Shadow IT means that the IT department cannot do this alone. IT teams need to make sure that the workforce is remaining 'on the reservation' and not being drawn away by the promise of other consumer-friendly tools and applications. With so much choice available to the average IT user, it is impossible for an IT team to go through this by dictating to employees. IT departments should be looking to engage with them, educating them about the potential risks and working to provide the functionality and ease of use that they require within the corporate environment.

What specific actions can businesses take to tackle the problem?

There are several actions that can be taken straight away. The research we commissioned with Freeform Dynamics identified an 'Elite' category; a group of businesses which excelled in taking measures to tackle the issue. They measure ROI in business and IT terms and their executives take a balanced view; considering business visibility, enhanced decision-making and user productivity, as well as risk management. They also understand their data and establish comprehensive policies and procedures to inform decisions on what data is important, and what needs to be kept where and for how long.

They establish and police policies for how different storage mechanisms should be used. They define and communicate policies on what data should be held in enterprise, personal, network, cloud and local storage to have a clear view of resources. They have clear guidance on data encryption and back-up practices and they pay particular attention to mobile devices and cloud storage; especially the management of data on personal or 'non-authorised' devices and services.

Elite organisations protect all data types and implement specific measures to ensure adequate protection of all forms of data in their organisation; from PCs, file shares and application data to IT managed or personal cloud storage, and – crucially – their company email system.

Elite IT managers use systems, processes and automation to reduce costs of routine monitoring, management, troubleshooting and support. They use cloud and hosted services to consolidate storage in the cloud and they use a cloud service that gives users access to data easily via a browser or mobile app. This preserves anytime, anywhere access benefits for users while ensuring that managers have total control.

They also choose to use archiving systems and procedures to reduce storage costs by moving information to long-term, read-only storage when it is no longer active. Modern archiving means users can still get easy access to it when needed while staying in the boundaries of the company's policy.

What role do cloud service vendors play in solving the problem?

Cloud vendors have a critical role to play in solving the problems of Shadow IT since they are uniquely placed to meet the needs of both IT managers and end users. By creating a safe, intuitive to use and easy to manage environment, cloud vendors can be a major ally to IT managers who want to keep users from straying beyond their official corporate systems.

At Mimecast, we work with our customers to ensure that all their email data – and the files sent and received as part of that email traffic – is archived and retained according to each customer's retention requirements.

We are also helping IT managers get control of corporate data in their Shadow IT network; helping them bring files held outside the network in, for example, cloud services into corporate management with services like Mimecast File Archive. This way, they know where their data is and that it is safe. And with our mobile apps, they know that those that need to can access critical data safely and securely at any time. With our archiving service they can also integrate those large email-based information stores easily. All this is then protected with our continuity service which means they can even use this if their corporate email systems experience a failure.

Register for IP EXPO 2013 now (opens in new tab)

If you register with, you'll receive:

- Fast-track access to the seminar programme

- Entry into a prize draw for an exclusive gourmet dining experience at IP EXPO ONE Place Dining.

- PLUS: As a loyal reader of ITProPortal, you'll also be able to kick back in the exclusive ITProPortal lounge (opens in new tab), enjoying complimentary beverages and the chance to chat to our expert team of technology writers.

Image credits: Flickr (davidsanders (opens in new tab)), Flickr (FutUndBeidel (opens in new tab))

Désiré Athow

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.