Shadow IT In Remote Work

Remote and hybrid working have brought major benefits to businesses, but they have also opened the door to one of the most persistent security challenges - shadow IT. Employees regularly use unauthorised devices and applications to access, store, and transfer corporate data, often bypassing security policies in the process.

This introduces risks that IT teams struggle to control, particularly when it comes to removable storage devices such as USB sticks.

Securing portable storage and enforcing stricter device controls must be a priority. Without clear policies and robust security measures, businesses risk data breaches, regulatory non-compliance, and reputational damage.

The Hidden Risks Of Shadow IT

Shadow IT occurs when employees use personal devices or unapproved software to carry out work-related tasks. Often, this isn’t malicious, staff may turn to familiar tools for convenience or efficiency. However, these unauthorised actions create security gaps that traditional IT frameworks may fail to detect.

A major issue is the use of personal USB sticks, external hard drives, and other portable storage devices. These devices can easily be lost or stolen, putting sensitive corporate data at risk. Worse still, they can introduce malware into an organisation’s network, bypassing existing security defences.

Apricorn’s latest research highlights that 74% of surveyed IT decision makers said that their organisation’s mobile/remote workers are willing to comply with security measures, but they don’t have the necessary skills or technology to keep data safe and 60% expect their mobile/remote workers to expose them to the risk of a data breach. Securing corporate data is an ongoing challenge, and with remote work now standard practice, it is becoming harder for IT teams to monitor how and where data is being stored and transferred.

Why Securing Portable Storage Is Critical

Organisations cannot afford to ignore the risks posed by unmanaged storage devices. Recent high-profile data breaches have demonstrated just how damaging the loss of sensitive information can be. Financial penalties for non-compliance with data protection regulations such as GDPR can be severe, and the reputational fallout can be even more costly.

Blocking the use of all portable storage devices isn’t a practical solution. Employees need secure ways to move and store data, particularly when working remotely or travelling. 

Companies must implement strict policies that allow only corporately issued, hardware-encrypted USB devices to connect to company systems. These devices provide a controlled environment, preventing unauthorised access and ensuring that all stored data remains protected. Positively, a staggering 96% of organisations now enforce a policy that mandates encryption for all data held on removable media, according to Apricorn’s latest research.

Locking down USB ports to accept only approved devices is another crucial step and a good addition to eliminate the risks associated with personal storage use.

Enforcing Security Policies In Remote Environments

Even with secure storage in place, policies must be actively enforced. Businesses need to establish clear guidelines on device usage, making it explicit that personal USB sticks and external drives are not permitted. These policies should be supported by technical controls that prevent unauthorised devices from connecting to corporate networks.

Endpoint Detection and Response (EDR) solutions can play a key role here, helping IT teams monitor which devices are being used and flagging any unauthorised access attempts. Real-time tracking and automated alerts ensure that any suspicious activity is quickly identified and dealt with before it can escalate into a security incident.

Education is equally important. Employees must understand the risks of shadow IT and the role they play in protecting company data. Regular security training should include best practices for handling sensitive information, recognising potential threats, and securely using authorised storage devices.

Balancing Security With Usability

Businesses need to strike a balance between security and usability. If security measures are too restrictive, employees may try to bypass them. The key is to provide approved alternatives that are both secure and convenient.

Mandating the use of encrypted USB devices and locking down ports is not about limiting productivity, it’s about ensuring that sensitive data stays within a controlled environment. By giving employees the right tools, businesses can reduce reliance on shadow IT without disrupting workflow and productivity.

Businesses that fail to address shadow IT risk losing control of their sensitive data, putting themselves at greater risk of breaches and compliance failures.

By securing portable storage, enforcing strict device policies, and educating employees on best practices, organisations can significantly reduce their exposure to security threats. 

Jon Fielding is Managing Director, EMEA at Apricorn

Image: Pixabay

You Might Also Read: 

Taking The You Out Of USB:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

« What Apple's Standoff With The UK Government Means For Your Data
Medusa Ransomware Attacks Focus On Critical Infrastructure »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Original Software

Original Software

Original Software offers a test automation solution focused completely on the goal of effective software quality management.

Kenna Security

Kenna Security

Kenna Security is a risk intelligence & vulnerability management platform that helps prioritize and remediate vulnerabilities.

OneSpan

OneSpan

OneSpan (formerly Vasco Data Security) is a global leader in digital identity security, transaction security and business productivity.

Data61

Data61

Data61 is Australia’s leading digital research network offering the research capabilities, IP and collaboration programs to unleash the country’s digital & data-driven potential.

Kippeo Technologies

Kippeo Technologies

Kippeo is a security systems integrator providing innovative solutions that look at all the parameters and connect all the dots.

International Data Sanitization Consortium (IDSC)

International Data Sanitization Consortium (IDSC)

IDSC is a group composed of individuals and companies dedicated to standardizing terminology and practices across the data sanitization industry.

QNu Labs

QNu Labs

QNu Labs’s quantum-safe cryptography products and solutions assure unconditional security of critical data on the internet and cloud across all industry verticals, globally.

Transmit Security

Transmit Security

The Transmit Security Platform provides a solution for managing identity across applications while maintaining security and usability.

Trava Security

Trava Security

Trava simplifies cyber risk management for business owners and IT professionals. Automated assessments, mitigation advising, and data-driven cyber insurance.

Rimstorm

Rimstorm

Rimstorm’s mission is to significantly improve the security of your data using award-winning, state-of-the-art technology combined with cyber managed security services.

Microminder Cyber Security

Microminder Cyber Security

Microminder Cyber Security are innovators, advisors, strategists committed to solving your cyber security challenges.

Entech

Entech

Entech is a managed IT service provider. We work behind the scenes on your network to ensure data security and integrity.

ZILLIONe

ZILLIONe

ZILLIONe is one of Sri Lanka´s top enterprise technology solutions providers.

Anetac

Anetac

Developed by seasoned cybersecurity experts, the Anetac Identity and Security Platform protects threat surface exploited via service accounts.

Gibbs Consulting

Gibbs Consulting

Gibbs Consulting provides innovative, flexible, on-demand IT Services and IT Consulting that delivers value and successful outcomes for our clients.

Crisis24

Crisis24

Crisis24 is a leading integrated risk management, crisis response, consulting, and global protective solutions firm.