What is Shadow IT and Why Your Legal Team Should Be Concerned

Before the COVID-19 Pandemic, legal technology writers like myself, wrote about BYOD (an acronym for Bring Your Own Device) policies and how they affect the eDiscovery process. But since March 2020 and the great migration from offices and law firms to kitchens and spare bedrooms, BYOD has morphed into what is being called Shadow IT.

What is Shadow IT?

Shadow IT is nothing new really, but the move to remote work exacerbated the risks that were already there. Shadow IT is a term which defines all of the technology and communication platforms members of an organization are using outside of the organization’s known IT resources.

This should be no surprise to anyone. With the rise of free or affordable SaaS offerings, it’s now easier than ever for teams, departments, and individuals to use tools outside of their organization’s approved list. One person may use their own project management, communication, graphic design, and video editing tools, and a peer on the same team may use a different set of the same tools, all while their company computers are loaded with a third set of tools its IT department approved. And this doesn’t include the tools employees may be using on their mobile devices or the personal email accounts and collaboration apps which may also be used for business purposes.

One article cites a 2017 Gartner which estimates 20 to 50% of organization spending on applications is unknown by IT departments. If this was the case in 2017, we can definitely assume that number has grown in the last 18 months with the speedy move to remote work for businesses and law firms in response to the COVID 19 pandemic.

What Are the Risks with a Shadow IT?

Data security is probably the largest risk, which is highlighted in this installment of the eDiscovery Blues comic. In the past, IT worked hard to create secure systems for their organizations, but if everyone is operating outside of that secure system, then all that work goes out the window. In the cartoon, the IT manager is correct in saying his company’s system is ISO 27001 compliant, but it’s been a long time since people have been in the office to use the system.

Another risk for legal teams is the possibility of an investigation or litigation. Shadow IT contains discoverable Electronically Stored Information (ESI) which must be identified, preserved, and collected the same as any other business-related data. But with it dispersed across multiple platforms, which may or may not be known by IT and Legal, completing the discovery process becomes much more challenging, particularly when there is a timeline which much be adhered to under the Rules of Civil Procedure.

What Can Organizations Do to Avoid the Risks of Shadow IT?

A recent article on SearchCIO offers some of these tips as first steps:

  • Maintain an up-to-date inventory of all resources within the IT infrastructure and update it regularly using network inventory technology or other relevant applications.
  • If a BYOD (bring your own device) policy exists, consider updating it to address shadow IT activities.
  • Ensure that members of a CIO’s senior leadership team keep an eye out for possible shadow installations and include this as a periodic agenda item at staff meetings.
  • Establish policy and protocols for dealing with shadow IT activities and review them with HR and legal departments.
  • Establish penalties for employees identified as conducting shadow IT activities; coordinate this with Human Resources.

How Information Governance Technology Can Help with Shadow IT Risks

In order to do something about Shadow IT, you have to shed some light on it. And this is where Information Governance technology can help.

With a strong Information Governance program in place, your organization is more prepared and better equipped to deal with the risks that come with Shadow IT. Information Governance technology can give you a comprehensive view of all your live and archived information across multiple systems, including regulated data like PII, PCI, and PHI. It can also give you the evidence-based reporting you need to enforce policies on BYOD and Shadow IT.

With the rise of the Delta Variant of COVID, it looks like work may continue to operate remotely for some time. Shadow IT is here to stay. Don’t keep your organization in the dark.

Listen to our recent webinar to learn more about how to deal with your Shadow Information problem.