Shadow IT In Remote Work

Uploaded on 2025-03-14 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Remote and hybrid working have brought major benefits to businesses, but they have also opened the door to one of the most persistent security challenges - shadow IT. Employees regularly use unauthorised devices and applications to access, store, and transfer corporate data, often bypassing security policies in the process.

This introduces risks that IT teams struggle to control, particularly when it comes to removable storage devices such as USB sticks.

Securing portable storage and enforcing stricter device controls must be a priority. Without clear policies and robust security measures, businesses risk data breaches, regulatory non-compliance, and reputational damage.

The Hidden Risks Of Shadow IT

Shadow IT occurs when employees use personal devices or unapproved software to carry out work-related tasks. Often, this isn’t malicious, staff may turn to familiar tools for convenience or efficiency. However, these unauthorised actions create security gaps that traditional IT frameworks may fail to detect.

A major issue is the use of personal USB sticks, external hard drives, and other portable storage devices. These devices can easily be lost or stolen, putting sensitive corporate data at risk. Worse still, they can introduce malware into an organisation’s network, bypassing existing security defences.

Apricorn’s latest research highlights that 74% of surveyed IT decision makers said that their organisation’s mobile/remote workers are willing to comply with security measures, but they don’t have the necessary skills or technology to keep data safe and 60% expect their mobile/remote workers to expose them to the risk of a data breach. Securing corporate data is an ongoing challenge, and with remote work now standard practice, it is becoming harder for IT teams to monitor how and where data is being stored and transferred.

Why Securing Portable Storage Is Critical

Organisations cannot afford to ignore the risks posed by unmanaged storage devices. Recent high-profile data breaches have demonstrated just how damaging the loss of sensitive information can be. Financial penalties for non-compliance with data protection regulations such as GDPR can be severe, and the reputational fallout can be even more costly.

Blocking the use of all portable storage devices isn’t a practical solution. Employees need secure ways to move and store data, particularly when working remotely or travelling. 

Companies must implement strict policies that allow only corporately issued, hardware-encrypted USB devices to connect to company systems. These devices provide a controlled environment, preventing unauthorised access and ensuring that all stored data remains protected. Positively, a staggering 96% of organisations now enforce a policy that mandates encryption for all data held on removable media, according to Apricorn’s latest research.

Locking down USB ports to accept only approved devices is another crucial step and a good addition to eliminate the risks associated with personal storage use.

Enforcing Security Policies In Remote Environments

Even with secure storage in place, policies must be actively enforced. Businesses need to establish clear guidelines on device usage, making it explicit that personal USB sticks and external drives are not permitted. These policies should be supported by technical controls that prevent unauthorised devices from connecting to corporate networks.

Endpoint Detection and Response (EDR) solutions can play a key role here, helping IT teams monitor which devices are being used and flagging any unauthorised access attempts. Real-time tracking and automated alerts ensure that any suspicious activity is quickly identified and dealt with before it can escalate into a security incident.

Education is equally important. Employees must understand the risks of shadow IT and the role they play in protecting company data. Regular security training should include best practices for handling sensitive information, recognising potential threats, and securely using authorised storage devices.

Balancing Security With Usability

Businesses need to strike a balance between security and usability. If security measures are too restrictive, employees may try to bypass them. The key is to provide approved alternatives that are both secure and convenient.

Mandating the use of encrypted USB devices and locking down ports is not about limiting productivity, it’s about ensuring that sensitive data stays within a controlled environment. By giving employees the right tools, businesses can reduce reliance on shadow IT without disrupting workflow and productivity.

Businesses that fail to address shadow IT risk losing control of their sensitive data, putting themselves at greater risk of breaches and compliance failures.

By securing portable storage, enforcing strict device policies, and educating employees on best practices, organisations can significantly reduce their exposure to security threats. 

Jon Fielding is Managing Director, EMEA at Apricorn

Image: Pixabay

You Might Also Read: 

Taking The You Out Of USB:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

« What Apple's Standoff With The UK Government Means For Your Data
Medusa Ransomware Attacks Focus On Critical Infrastructure »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Idemia

Idemia

Idemia is a global leader in security and identity solutions.

Siscon

Siscon

Siscon delivers tailor-made compliance solutions that are based on the customer's specific wishes and reality and then supplement with many years of experience in the field.

Kryptus

Kryptus

Kryptus provides a wide array of solutions for hardware, firmware and software ranging from semiconductors to complex digital certificate management systems.

Applied Security (APSEC)

Applied Security (APSEC)

APSEC provides products and services in the areas of encryption, digital signature, authentication and data loss prevention.

Information Technology Industry Development Agency (ITIDA)

Information Technology Industry Development Agency (ITIDA)

ITIDA has two broad goals: building the capacities of Egypt’s local information and communications technology (ICT) industry and attracting foreign direct investments to boost the ICT sector.

Arc4dia Labs

Arc4dia Labs

Arc4dia have developed SNOW, a cyber security solution to combat the world’s most sophisticated cyber threats.

Naukrigulf

Naukrigulf

Naukrigulf.com is one of the fastest growing job sites in the Gulf, with thousands of registered job seekers and a robust CV database across many sectors, including cybersecurity.

6point6

6point6

6point6 is a technology consultancy with strong expertise in digital transformation, emerging technology and cyber security.

Belle de Mai Incubator

Belle de Mai Incubator

Belle de Mai Incubator supports and funds innovative startup ideas in digital industries.

LogMeIn

LogMeIn

LogMeIn makes it possible for millions of people and businesses around the globe to do their best work simply and securely—on any device, from any location and at any time.

HiScout

HiScout

HiScout is your integrated management system for IT governance, risk & compliance.

Normalyze

Normalyze

Normalyze are solving some of the most painful problems enterprise IT security teams face in the cloud and data security space. We help enterprises protect all the data they run in the cloud.

DruvStar

DruvStar

DruvStar provides B2B cybersecurity around threat management to strengthen businesses across attack vectors.

Tidelift

Tidelift

Tidelift provides the tools, data, and strategies that help organizations assess risk and improve the health, security, and resilience of the open source used in their applications.

Cypago

Cypago

Cypago provides a powerful yet easy-to-use Compliance Orchestration Platform to automate the compliance process end-to-end.

Bytium

Bytium

Bytium provides top-tier IT services and solutions designed to empower everyone, from individuals to global corporations. Specializing in cybersecurity and proactive IT management.