Legal professionals face an obligation to protect client data that extends to digital tools. However, the nature and amount of data they handle makes them cyber threat magnets. As a result, legal service providers must go the extra mile to protect confidential data. Sadly, sometimes it’s employee actions that could lead to a breach. Preventing shadow IT is a key element of safeguarding sensitive data.
Shadow IT is the use of IT tools that have not been authorized by a company’s IT department for work purposes. For example, a paralegal uploads case files and research documents to their personal account at one of the mainstream US-based cloud storage providers to share a single link with the rest of the legal team. At first glance, this action may seem perfectly benign and practical. However, the paralegal’s actions likely constitute a breach of the GDPR, threaten legal professional privilege, and go against guidance issued by the SRA and the Bar Council. Let’s look at why:
- Well-known cloud providers, such as Google Drive, OneDrive, and Dropbox, only secure data in transit and at rest. This means that when they encrypt files stored on their servers, they hold the keys. In practice, this means they can read the contents of the files. In addition, several automated systems may analyze the contents to provide convenience features, such as full-text search. Furthermore, this also means that if a hacker were to gain access to their systems and find the keys, they could also decrypt all your data.
- Mainstream cloud storage providers don’t allow individual users to choose where their data is stored. As a result, the case files uploaded to the service may be on a server in the US, India, or Brazil. Legal documents are often filled with personal data, and storing such files on a server outside the UK or EU is illegal without proper protections in place.
- US-based providers are required by federal law to ensure that US law-enforcement agencies can access the files stored on their servers when presented with a warrant. As a result, US surveillance powers are a direct threat to legal professional privilege in the UK, as highlighted by the Bar Council.
- The Bar Council recommends barristers use zero-knowledge end-to-end encrypted cloud services. The SRA highlights that encryption is a vital safeguard of client confidentiality.
What are the causes of shadow IT?
Shadow IT can be a result of several factors. Both overly slack and overly strict internal rules and policies can be one of the causes. For example, if digitally inclined lawyers and support staff are left to their own resources, as in the example above, even well-intentioned actions can have dire results. At the other end of the scale, a strict IT security team may find that their guidance is being ignored.
Especially if they only allow specific tools and offer little or no room for employees to raise new needs and issues
On the other hand, shadow IT can also be caused by a lack of education. Cybersecurity teams must take time to teach legal professionals the risks associated with shadow IT. In the example above, had clear guidelines been available for the paralegal, or if they had asked IT, the entire situation could likely have been averted. IT could have instructed them on how to act in a compliant manner or helped them begin using an office-sanctioned tool for the purpose.
What are the risks of shadow IT?
We’ve touched on some of the main risks of shadow IT above: data leakage and breaches of legal-professional privilege. However, shadow IT can lead to a myriad of problems for a security team. For example, employees may download software from untrustworthy sources. Such executables may contain malware which then infects their device.
Insecure cloud services are an even more pressing issue. Employees can sign up for them even if they are not administrators on their work machines. The use of unsanctioned tools can result in unauthorized and untraceable changes to files and data. In turn, these can lead to difficulties during audits and compliance reviews.
Finally, if IT does not have a clear list of the software solutions being used on company devices, they may not be able to patch these tools. When security vulnerabilities are disclosed, quick updates are the primary line of defense and should be managed centrally.
The drawbacks of shadow IT
Beyond being a security risk, shadow IT can also be detrimental to productivity and efficiency. First and foremost, this is measurable in the time that legal professionals spend setting up and learning a new system. Some complex tools require know-how and technical skills to roll out properly. Not only can such tasks take much longer for professionals trained in other fields, but errors in settings can also lead to unexpected vulnerabilities. IT professionals should always handle tool rollout, setup, and education when available.
Shadow IT may also result in a duplication of efforts in various operations. One clear example is the time spent researching the best solutions to different problems. The IT department may be aware of a need within the company and actively searching for a secure and trusted solution, while other team members are completing similar research, looking for a shadow tool they can deploy as a stop-gap. Clear communication between the two departments could mitigate the effects.
Five tips for fighting back against shadow IT
Some professionals claim that strong policies and monitoring employee devices are the keys to the problem. Others even advocate cultivating a company culture in which employees report their colleagues’ activities, including any shadow IT incidents.
While creating clear policies and using security-focused device monitoring tools are useful in countering shadow IT, they should not be used to actively monitor employees while working. Furthermore, advocating that employees report one another can lead to work environments in which trust and openness are limited, and even result in the Security team being seen as the cause.
Luckily, there are several steps you can take to limit shadow IT in your offices while creating a cooperative and welcoming environment. Let’s dive into five essential tips:
- Accept that policies, monitoring, and limiting employee activity will not solve the problem themselves. One of the most common causes of shadow IT is a technical need within an organization that is unrecognized or unanswered by existing IT tools. Security teams must constantly identify such areas and solve newly arising challenges to limit the spread of shadow solutions.
- Communicate with stakeholders actively and clearly. As noted above, employees will be inclined to wait if your IT department clearly communicates that it is searching for solutions to a recognized need. Furthermore, if policies contain easy-to-understand ways for employees to recommend tools or request authorization for software of their choice, you can create a culture in which two-way communication becomes the norm.
- Be proactive in monitoring trends and gauging needs within the company. Follow trends and learn about new legaltech solutions. Reach out to lawyers, paralegals, and assistants to better understand what tools could be helpful to them in their daily work. Furthermore, never assume that because IT says no to something, teams will not develop a solution without involving IT. Find alternatives to rejected tools and cooperate with teams to find working solutions.
- Educate employees about the importance of cybersecurity. As highlighted in our ongoing series about the greatest cybersecurity threats of 2022, education is a vital tool in countering each of them. Read our guide about improving cyber security at law firms to learn more about the steps you can take and how to educate your team.
- Finally, choose secure tools that don’t get in the way of work. Often, teams will avoid sanctioned secure tools because they are difficult to use, slow, or clunky. Selecting end-to-end encrypted services that emphasize ease-of-use, such as Tresorit, is a great way to improve the adoption of the solutions you choose to secure your operations.
While shadow IT is not automatically a threat to a company, it can very easily become one. Therefore, law firms should take every possible step to limit their exposure to threats. Following the advice above will help you keep client data secure and preserve your peace of mind.