What Is Shadow IT?
The first problem with cautioning lawyers about the dangers of “shadow IT” is that most of them have no earthly idea what it is. So let’s start there.
Leading research company Gartner defines shadow IT as IT devices, software and services (including cloud services) outside the ownership or control of the IT department of a business.
Once lawyers understand the definition, they generally say that everything is within the control of their IT department. Most of the time, that answer would be wrong, though many don’t know it.
Just the Facts, Please
Studies by Gartner have revealed that shadow IT constitutes an amazing 30% to 40% of IT spending in big enterprises. Advisory firm CEB estimates that the percentage is 40%. Everest Group research states that it makes up 50% or more of the spending. No need to split hairs — all three numbers are big.
Small law firms are not immune to this trend. How many law firm services are in the cloud, especially today? And are they all under the control and direction of the IT department? The likely answer is no.
Are They All Renegades?
Absolutely not. In fact, shadow IT is sometimes implicitly permitted or even encouraged. Many would argue that shadow IT makes businesses more competitive and allows for enhanced collaboration and innovation. In their view, users discover applications or services that allow them to do their jobs better or more easily, and IT can subsequently go in and secure the applications or services. In our experience, this is not a useful way to approach risky behavior by employees, the consequences of which can be dire.
Why do employees go outside the firm’s IT folks? Sometimes, an IT department moves slower than the average tortoise or routinely raises objections to what employees want. Undeterred, employees make an end-run around the rules, It is generally simple for those who have access to data to put it where they want and use it as they wish using tools or services that may not be authorized.
IT departments are often burdened by having a limited number of employees and constant demand for providing services. Sometimes those outside the IT department are pretty sharp technologically — and running shadow IT operations doesn’t intimidate them.
Cloud services and other vendors make it darn easy to implement new solutions. Just think about artificial intelligence; once it was complicated to implement, but now it is so easy that solos and small firms do it all the time.
Can’t You Control Shadow IT by Policies or Technology?
No. Ignoring policies is routine in most places. Employees know what they want to do, and policies frequently do not deter them. Often, they think the evasion of the policy is good for the law firm, that it allows for better solutions.
A good example is Dropbox, where we see many e-discovery productions made, usually without encrypting the data before sharing it via Dropbox. There may be a policy against using Dropbox without encrypting sensitive data first, but many lawyers will ignore that policy. Using technology to block access to Dropbox is possible but very unpopular with lawyers, who do indeed have many uses for it that do not involve sensitive data. The consequence is that IT rejects blocking as a solution, relying on the policy instead. And we’ve seen how well that goes.
This puts the IT department in a difficult position. IT mandates “don’t do this,” someone does do it, and there is no apparent harm. We say “apparent harm” because often the shadow IT solutions are riskier. They are not vetted by the IT department, which is responsible for ensuring the law firm’s security and compliance with any number of laws and regulations. It’s a conundrum. IT often attempts to block certain applications, but employees’ ability to find a way around the blocking is uncanny. Shucks, if Dropbox is blocked, not a problem. Google Drive, OneDrive or any other cloud storage will work just fine too.
A New Enemy in Town: Shadow Policies
Security experts have worried about shadow IT for a long time, but now they must add shadow policies to the mix. The larger the law firm, the more prevalent shadow policies are. They are rogue policies written by a particular group or department that are never reviewed or approved, and are made part of the firm’s policies.
Yet they expose the law firm to legal liability by setting their own duty of care to employees. If something goes south and rogue policies are discovered, the doors to legal liability may be thrown open. Many shadow policies are written by people who are not experts at writing policies – without review, they often bear little relation to the law firm’s official policies. And yet, an entire department may abide by them.
Shadow policies were spurred by the pandemic, with collaboration between distinct groups becoming more intense. Perhaps it was natural that they sought to write their own policies.
As crazy as it sounds, there needs to be a policy on writing policies. Why? Because it establishes the framework of policy management, sets forth how policies should be written and approved, etc.
All policies should be in one place where all employees know they can find them. Train employees: If they discover a shadow policy that is not in the centralized policy list, they need to report that policy.
Battening Down the Hatches
In a June 2021 study by security company Hysolate, the authors stressed what seems inevitable from the data cited above. Employees need both more freedoms and more restrictions. Moreover, most of those surveyed by Hysolate reported that their 2021 budgets included addressing remote IT challenges, including shadow IT.
This statistic stood out: Only 7% of users do not complain about security restrictions, but the remaining 93% look for ways to bypass them. With that mentality, we can certainly understand how hard it is to contain shadow IT.
The goal is to batten down the hatches while allowing increased employee IT freedom. In the Hysolate study, 87% of respondents want to increase employee IT freedoms, while 79% want to increase restrictions. IT respondents want to afford employees more freedom (the major freedoms being to browse the internet freely, install third-party apps and plugins, print at home, and perform personal activities on work devices), but they want it done securely. And therein lies the heart of the problem. Can law firms give employees more IT freedom securely? Can they really batten down the hatches?
According to the survey, the upside is that most people believe that enhanced IT freedoms will increase productivity, make IT policies more palatable and reduce employee frustration.
The authors question whether the price tag of IT freedom is an increased danger to the law firm’s confidential data, but we admittedly look at everything from a security vantage point. We shudder at the installation of unapproved apps and using endpoints for personal activities. The counterargument is that it may be possible to use endpoint privilege management, application isolation, and browser isolation to secure IT operations by employees.
As last year’s Hysolate 2020 report noted in “The CISO’s Dilemma,” IT and security leaders then viewed worker productivity and enterprise security as mutually exclusive objectives. The pandemic appears to have changed that view. At this point, there is a strong push to use isolation and privilege management technologies to afford security and IT freedom.
In conclusion, we may start to see shadow IT come out of the shadows in law firms with the blessing of IT. Everyone is looking for solutions to the risks presented by shadow IT — it remains to be seen if they can successfully utilize technology and processes that afford secure employee IT freedom. And to add another thought to the mix, perhaps law firms should be investigating Zero Trust Network Access instead of battling shadow IT.
Sharon D. Nelson is a practicing attorney and the president of Sensei Enterprises, Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association and the Fairfax Law Foundation. She is a co-author of 18 books published by the ABA.
John W. Simek is vice president of Sensei Enterprises. He is a Certified Information Systems Security Professional, Certified Ethical Hacker, and nationally known expert in digital forensics. He and Sharon provide legal technology, cybersecurity and digital forensics services from their Fairfax, Virginia, firm.
Michael C. Maschke is the CEO/Director of Cybersecurity and Digital Forensics of Sensei Enterprises. He is an EnCase Certified Examiner, a Certified Computer Examiner, a Certified Ethical Hacker and an AccessData Certified Examiner. He is also a Certified Information Systems Security Professional.
Subscribe to Attorney at Work
Get really good ideas every day for your law practice: Subscribe to the Daily Dispatch (it’s free). Follow us on Twitter @attnyatwork.