Two employees sharing a work file on Dropbox seems on its own quite harmless. However, without proper oversight from both the legal and IT departments, the growing use of ‘unsanctioned’ cloud-based apps by employees will leave companies vulnerable to a whole new level of risk.

If unmonitored by the IT department, cloud-based information sharing can leave confidential, sensitive or legally privileged documents susceptible to ambush by third-parties. According to a new report from legal services provider Consilio, ‘shadow IT’ poses a variety of unacceptable risks: inadvertant exposure of sensitive data, possible theft of intellectual property, regulatory compliance failures, the inability to adequately identify relevant data for e-discovery, service outages and the inadequate application of document retention, to name a few.

A slow response 

What’s more troubling is that in spite of the risks, legal and IT professionals are only sluggishly rising to the challenge of managing shadow IT. Of the 148 legal technology professionals surveyed by Consilio, only 26 per cent said that they ‘very often’ address security risks associated with shadow IT. By contrast, 45 per cent said they looked at these risks ‘sometimes’ and over 25 per cent of respondents said they ‘rarely’ or ‘never’ did.

'The use of cloud-based applications in business is exploding, and many times management may not even know the full scope of unsanctioned cloud application use across the enterprise,' warns Consilio managing director John Loveland. 'This mushrooming utilisation has vastly outpaced the risk and compliance measures needed to adequately manage risks for the protection of intellectual property, compliance, data privacy [and] records retention, among others,' he adds. 

Serious headaches 

A laissez-faire approach to shadow IT is woefully insufficient given the daunting scale of the problem. According to research conducted two years ago by security vendor CipherCloud, the average North American company has approximately 1,245 cloud-based applications in use across its workforce—a staggering 86 per cent of which have not been sanctioned by the company’s IT department.

Moreover, only 55 per cent of respondents to Consilio’s study said that workplace data stored on cloud-based apps is ‘often’ or ‘almost always’ considered, making e-discovery for the purposes of litigation a ‘complicated and expensive’ process for workplaces brimming with unsanctioned cloud-based information sharing. 

What to do?

According to Mr Loveland, cracking down on shadow IT apps and the risks they pose may require a bit of tough love from in-house legal and technology departments. ‘Certain applications provide little value with a lot of risk; you should probably take steps to block those applications,’ he said. Instead, legal and IT departments should collaborate to identify a small group of useful and sturdy cloud-based apps to sanction for employee use and put controls in place around them. Sources: Consilio; Corporate Counsel; CipherCloud