Skip to content

Shadow IT in eDiscovery

| Written by Imogen Fraser-Clark

What is Shadow IT?

Shadow IT refers to information technology systems deployed by individuals or entire departments within a large-scale organisation that are outside of the ownership of the IT department. These systems are often sought to overcome the shortcomings of the central IT system and can have very real data security and compliance implications alongside their impact on discovery. 

Impact Of Shadow IT

The Covid-19 Pandemic has impacted every area of business for the past two years, some more than others. One area that has seen a monumental shift since 2019 is the variety of technologies used in everyday business life. The unprecedented adoption of video platforms such as Teams, Zoom and Google Meets as well as short messaging platforms like Whatsapp for business purposes has led to increasingly diverse filetypes and kinds of data needing to be collected for review, in much higher quantities than previously found.

Hybrid working has thrown another spanner in the works for eDiscovery in the distribution of data to be collected. Processes that were once limited to work PCs and servers are now stored on every employee's personal devices, confidential information left on the family desk rather than in a secure office location etc.

This, of course, is something we had very little control over and has brought about several benefits to the work lives of many. Unfortunately, it has also introduced added complications into the world of eDiscovery. Now add to this the issue of Shadow IT and we can see why in-house eDiscovery service provider teams are struggling more than ever to complete their disclosure projects in a timely and proportionate manner.

Student girl with trainer working on computer and tablet

The biggest problem with Shadow IT is that employees often add to the problem without realising it, whether it is sending that urgent text from your home phone, accidentally leaving your laptop at work so working from your PC, or downloading that bit of software to help with an immediate task without first checking if it is approved. All of these actions contribute to Shadow IT and though they individually are pretty small-scale instances, when multiplied across an entire workforce they quickly begin to build up. 

While the problem of Shadow IT existed before the pandemic, largely due to the longwinded processes involved in IT approving a piece of software, the sudden move to working from home, away from the watchful eye of managers and without easy access to said IT department has led to a massive spike in the amount of Shadow IT being found on devices marked for collection. 

The issue that this creates is the spreading of data. This results in businesses being unable to locate all their data because they don't know what data has been created or where it is being stored. In eDiscovery, you run the risk of missing vital information pertinent to a case because it is stored in some software that the data host didn't know was installed on a device. In terms of GDPR, it is significantly easier to leak sensitive information if there aren't any security measures protecting it, which you cannot put in place if you don't know where the data is, or even if the data exists. This creates a very real danger of sensitive information slipping through the cracks, going undetected – compromising both your cybersecurity and your ability to remain compliant.

How Do We Combat Shadow IT?

The best way to combat the rise of Shadow IT is to educate your workforce on the risks of contributing to the spreading of data and to establish clear policymaking when it comes to vetting and approval of new software by IT. 

Businesswoman doing conference presentation in meeting roomBy educating your workforce you are enabling them to take responsibility and hold accountability for their actions. Holding a GDPR seminar is an excellent way to communicate the risks posed to the company, the clients and themselves should a data breach occur as a result of Shadow IT or any other malpractice. Allow them to ask questions and be ready to take on feedback about what can be done to enable your workforce to practice safer data maintenance. e.g. faster IT approval processes or work phones for instant messaging purposes etc. 

Create clear guidelines for both the IT departments and the rest of your workforce as to what kinds of technologies are likely to be accepted by IT and which ones will NOT be accepted. Ensure that IT also knows that the speed and clarity of their response to a technology request are of the highest priority. If a piece of software/technology isn't accepted make a point of explaining why and ensuring everyone is made aware of these reasons. 

Data security is a constant battle that will be fought as long as there is data in the world to be protected, but it can certainly be made much easier by the effective collaboration between teams working together to keep your information safe. For more information on data security and information governance, why not check out our latest Luddites Guide? You can download it for free by clicking below! 

New call-to-action