by Mike Semel, Certified Security Compliance Specialist


In just seconds an employee can move your most sensitive data to an unauthorized cloud service, outside of your control, meaning you will lose that data forever.

What is Shadow IT?

Shadow IT are the unapproved IT solutions and cloud services that employees use on their own, including consumer-grade file sharing, personal email, remote computer access, thumb drives, and computer and cell phone backup services.

Companies that have invested heavily in network security are finding out that their own users— mostly with good intentions— are unknowingly risking proprietary and legally protected company data by bypassing company rules (and the IT department.) Many times it is because the company did not anticipate what employees need and did not have an approved solution in place.


As consumers we love FREE.  Free online sharing. Free email.

We love EASY and QUICK.

Easy to install. Easy to understand. Easy to use. Easy to access from anywhere. Easy for someone in a department to sign up for and start using immediately. Or, while working from home, easy to send company information to your personal email address so you can easily print it.

We also like CHEAP (but not as much as free.)

Cheap online backup. Cheap thumb drives. Cheap smartphones and tablets. Cheap Cloud solutions. Cheap remote access tools to connect from home. Cheap enough to pay for and expense without getting permission from the IT department.

How can this kill your business?

Data is worth more than gold. It can include confidential or proprietary information that your company depends on to exist. Think about your proprietary information - your version of the Coca-Cola formula or the Kentucky Fried Chicken recipe. Or think about your customer lists, proprietary designs and processes, business and marketing plans, contracts, HR and payroll records, salaries, commission plans, protected financial or health care information, student records, passwords, security codes, data covered by confidentiality agreements, and more.

Employees want to work from home or a remote office, or they want to bring a bonus to their new employer, so they email customer lists and business documents to their personal email addresses. Or they may copy them to thumb drives or save them to Dropbox or a similar consumer-grade file sharing service.

E-mail and file sharing services synchronize to their smartphone, which may be automatically backed up through their cellular carrier in case their phone is lost or stolen. When they quit or are terminated will you even know your data was lost? Even if you wipe their phone, your data may still be in the phone’s online backup. Ouch.

What if your employees are malicious?

I have dealt with distraught business owners whose employees:

  • embezzled money;
  • stole customer lists and business data to take to a new employer;
  • deleted important files to get even for a perceived insult;
  • lost devices that contained protected information and created reportable data breaches; and
  • stored company files in free e-mail systems whose terms and conditions allowed the provider not just to read the mail, but to publish it.

What can you do?

There is no single answer.

You need to combine Administrative, Physical, and Technical safeguards to stop Shadow IT.

  1. Stop Shadow IT by educating your workforce about the risks of using consumer solutions because they don’t adequately protect your data. Use reminders so they don’t forget and they know you are serious.
  2. Implement policies and sanctions and enforce your requirements.
  3. Work with your employees to make sure they remove corporate data from cloud services you don’t control.
  4. Regularly assess your devices and inspect them for file sharing tools, remote access tools, and any data you don’t want to leave your organization. Remove anything not authorized.
  5. Have your IT department or Managed Service Provider utilize a discovery tool to identify unauthorized file sharing by analyzing your web traffic.
  6. Implement DLP (data loss prevention) and MDM (mobile device management) tools to protect a critical asset- your data.
  7. Work with your IT department or solution provider to anticipate your users’ needs and identify secure tools to enable your employees to accomplish their goals so they don’t need to come up with their own solutions.

Semel Consulting advises Defense Contractors, HIPAA Covered Entities & Business Associates, and other businesses to properly protect their data against loss, theft, and unauthorized access.



Certified Security Compliance Specialist  |  Certified Business Continuity Professional  | CMMC-AB Registered Practitioner |  Certified Health IT Consultant

Certified HIPAA Security Professional  |  Certified HIPAA Administrator  |  Certified HIPAA Professional