Shadow IT In Remote Work

Uploaded on 2025-03-14 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Remote and hybrid working have brought major benefits to businesses, but they have also opened the door to one of the most persistent security challenges - shadow IT. Employees regularly use unauthorised devices and applications to access, store, and transfer corporate data, often bypassing security policies in the process.

This introduces risks that IT teams struggle to control, particularly when it comes to removable storage devices such as USB sticks.

Securing portable storage and enforcing stricter device controls must be a priority. Without clear policies and robust security measures, businesses risk data breaches, regulatory non-compliance, and reputational damage.

The Hidden Risks Of Shadow IT

Shadow IT occurs when employees use personal devices or unapproved software to carry out work-related tasks. Often, this isn’t malicious, staff may turn to familiar tools for convenience or efficiency. However, these unauthorised actions create security gaps that traditional IT frameworks may fail to detect.

A major issue is the use of personal USB sticks, external hard drives, and other portable storage devices. These devices can easily be lost or stolen, putting sensitive corporate data at risk. Worse still, they can introduce malware into an organisation’s network, bypassing existing security defences.

Apricorn’s latest research highlights that 74% of surveyed IT decision makers said that their organisation’s mobile/remote workers are willing to comply with security measures, but they don’t have the necessary skills or technology to keep data safe and 60% expect their mobile/remote workers to expose them to the risk of a data breach. Securing corporate data is an ongoing challenge, and with remote work now standard practice, it is becoming harder for IT teams to monitor how and where data is being stored and transferred.

Why Securing Portable Storage Is Critical

Organisations cannot afford to ignore the risks posed by unmanaged storage devices. Recent high-profile data breaches have demonstrated just how damaging the loss of sensitive information can be. Financial penalties for non-compliance with data protection regulations such as GDPR can be severe, and the reputational fallout can be even more costly.

Blocking the use of all portable storage devices isn’t a practical solution. Employees need secure ways to move and store data, particularly when working remotely or travelling. 

Companies must implement strict policies that allow only corporately issued, hardware-encrypted USB devices to connect to company systems. These devices provide a controlled environment, preventing unauthorised access and ensuring that all stored data remains protected. Positively, a staggering 96% of organisations now enforce a policy that mandates encryption for all data held on removable media, according to Apricorn’s latest research.

Locking down USB ports to accept only approved devices is another crucial step and a good addition to eliminate the risks associated with personal storage use.

Enforcing Security Policies In Remote Environments

Even with secure storage in place, policies must be actively enforced. Businesses need to establish clear guidelines on device usage, making it explicit that personal USB sticks and external drives are not permitted. These policies should be supported by technical controls that prevent unauthorised devices from connecting to corporate networks.

Endpoint Detection and Response (EDR) solutions can play a key role here, helping IT teams monitor which devices are being used and flagging any unauthorised access attempts. Real-time tracking and automated alerts ensure that any suspicious activity is quickly identified and dealt with before it can escalate into a security incident.

Education is equally important. Employees must understand the risks of shadow IT and the role they play in protecting company data. Regular security training should include best practices for handling sensitive information, recognising potential threats, and securely using authorised storage devices.

Balancing Security With Usability

Businesses need to strike a balance between security and usability. If security measures are too restrictive, employees may try to bypass them. The key is to provide approved alternatives that are both secure and convenient.

Mandating the use of encrypted USB devices and locking down ports is not about limiting productivity, it’s about ensuring that sensitive data stays within a controlled environment. By giving employees the right tools, businesses can reduce reliance on shadow IT without disrupting workflow and productivity.

Businesses that fail to address shadow IT risk losing control of their sensitive data, putting themselves at greater risk of breaches and compliance failures.

By securing portable storage, enforcing strict device policies, and educating employees on best practices, organisations can significantly reduce their exposure to security threats. 

Jon Fielding is Managing Director, EMEA at Apricorn

Image: Pixabay

You Might Also Read: 

Taking The You Out Of USB:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

« What Apple's Standoff With The UK Government Means For Your Data
Medusa Ransomware Attacks Focus On Critical Infrastructure »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Atlantic Council

Atlantic Council

The Atlantic Council's Cyber Statecraft Initiative focuses on international cooperation, competition, and conflict in cyberspace.

Telefonica Tech

Telefonica Tech

Telefónica Cyber Security Tech is focused on the prevention, detection and appropriate response to security incidents aimed at protecting your digital services.

IntelliGO Networks

IntelliGO Networks

IntelliGO Networks is a cybersecurity company focused on Managed Detection and Response (MDR).

Nok Nok Labs

Nok Nok Labs

Nok Nok is a market leader in next generation authentication for cloud, mobile and IoT applications.

e-Crime Bureau

e-Crime Bureau

e-Crime Bureau is a specialized company offering cyber/computer forensics, cyber security consulting services, forensic audit and investigations services and training to clients across Africa.

SevenShift

SevenShift

SevenShift is a security consulting firm with a wealth of experience in the worlds of Cybersecurity and Internet of Things (IoT).

Naoris Protocol

Naoris Protocol

Naoris is the world’s first holistic blockchain-based cybersecurity ecosystem, bringing a game-changing solution to address 35 years of industry similar practice.

Partnership for Conflict, Crime and Security Research (PaCCS)

Partnership for Conflict, Crime and Security Research (PaCCS)

PaCCS delivers high quality and cutting edge research to improve our understanding of current and future global security challenges in areas including cybersecurity.

boxxe

boxxe

boxxe create flexible IT infrastructures, collaborative global workspaces and data clarity, all underpinned by world-leading security.

Aurora Systems Consulting

Aurora Systems Consulting

Aurora is a Cybersecurity solutions provider with a portfolio consisting of security consulting, products and services that proactively prevent, secure and manage advanced threats and malware.

Cyber Defence Solutions (CDS)

Cyber Defence Solutions (CDS)

Cyber Defence Solutions is a cyber and privacy Consultancy with extensive experience in the development and implementation of cyber and data security solutions to your assets.

ITSEC Asia

ITSEC Asia

ITSEC Asia works to effectively reduce exposure to information security threats and improve the effectiveness of its clients' information security management systems.

Kompleye

Kompleye

Kompleye is a recognized cybersecurity and compliance audit organization that offer a comprehensive solution for different industries.

Metmox

Metmox

Metmox mission is to be trusted advisor and partner to protect our customer’s evolving Cloud, Network, Application, IT infrastructure and cybersecurity needs.

LockMagic

LockMagic

Lockmagic is an information asset management solution to protect, track, audit and control accesses to sensitive information inside and outside your organization.

Potech

Potech

Potech provides masterful services in Information & Technology and Cybersecurity to multiple markets across the world.