Shadow IT In Remote Work

Uploaded on 2025-03-14 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Remote and hybrid working have brought major benefits to businesses, but they have also opened the door to one of the most persistent security challenges - shadow IT. Employees regularly use unauthorised devices and applications to access, store, and transfer corporate data, often bypassing security policies in the process.

This introduces risks that IT teams struggle to control, particularly when it comes to removable storage devices such as USB sticks.

Securing portable storage and enforcing stricter device controls must be a priority. Without clear policies and robust security measures, businesses risk data breaches, regulatory non-compliance, and reputational damage.

The Hidden Risks Of Shadow IT

Shadow IT occurs when employees use personal devices or unapproved software to carry out work-related tasks. Often, this isn’t malicious, staff may turn to familiar tools for convenience or efficiency. However, these unauthorised actions create security gaps that traditional IT frameworks may fail to detect.

A major issue is the use of personal USB sticks, external hard drives, and other portable storage devices. These devices can easily be lost or stolen, putting sensitive corporate data at risk. Worse still, they can introduce malware into an organisation’s network, bypassing existing security defences.

Apricorn’s latest research highlights that 74% of surveyed IT decision makers said that their organisation’s mobile/remote workers are willing to comply with security measures, but they don’t have the necessary skills or technology to keep data safe and 60% expect their mobile/remote workers to expose them to the risk of a data breach. Securing corporate data is an ongoing challenge, and with remote work now standard practice, it is becoming harder for IT teams to monitor how and where data is being stored and transferred.

Why Securing Portable Storage Is Critical

Organisations cannot afford to ignore the risks posed by unmanaged storage devices. Recent high-profile data breaches have demonstrated just how damaging the loss of sensitive information can be. Financial penalties for non-compliance with data protection regulations such as GDPR can be severe, and the reputational fallout can be even more costly.

Blocking the use of all portable storage devices isn’t a practical solution. Employees need secure ways to move and store data, particularly when working remotely or travelling. 

Companies must implement strict policies that allow only corporately issued, hardware-encrypted USB devices to connect to company systems. These devices provide a controlled environment, preventing unauthorised access and ensuring that all stored data remains protected. Positively, a staggering 96% of organisations now enforce a policy that mandates encryption for all data held on removable media, according to Apricorn’s latest research.

Locking down USB ports to accept only approved devices is another crucial step and a good addition to eliminate the risks associated with personal storage use.

Enforcing Security Policies In Remote Environments

Even with secure storage in place, policies must be actively enforced. Businesses need to establish clear guidelines on device usage, making it explicit that personal USB sticks and external drives are not permitted. These policies should be supported by technical controls that prevent unauthorised devices from connecting to corporate networks.

Endpoint Detection and Response (EDR) solutions can play a key role here, helping IT teams monitor which devices are being used and flagging any unauthorised access attempts. Real-time tracking and automated alerts ensure that any suspicious activity is quickly identified and dealt with before it can escalate into a security incident.

Education is equally important. Employees must understand the risks of shadow IT and the role they play in protecting company data. Regular security training should include best practices for handling sensitive information, recognising potential threats, and securely using authorised storage devices.

Balancing Security With Usability

Businesses need to strike a balance between security and usability. If security measures are too restrictive, employees may try to bypass them. The key is to provide approved alternatives that are both secure and convenient.

Mandating the use of encrypted USB devices and locking down ports is not about limiting productivity, it’s about ensuring that sensitive data stays within a controlled environment. By giving employees the right tools, businesses can reduce reliance on shadow IT without disrupting workflow and productivity.

Businesses that fail to address shadow IT risk losing control of their sensitive data, putting themselves at greater risk of breaches and compliance failures.

By securing portable storage, enforcing strict device policies, and educating employees on best practices, organisations can significantly reduce their exposure to security threats. 

Jon Fielding is Managing Director, EMEA at Apricorn

Image: Pixabay

You Might Also Read: 

Taking The You Out Of USB:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

« What Apple's Standoff With The UK Government Means For Your Data
Medusa Ransomware Attacks Focus On Critical Infrastructure »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

C3IA Solutions

C3IA Solutions

C3IA Solutions is an NCSC-certified Cyber Consultancy providing assured, tailored advice to keep your information secure and data protected.

QA Systems

QA Systems

QA Systems provides software testing solutions for safety and business critical sectors and software safety and security standards.

Cysec - TU Darmstadt

Cysec - TU Darmstadt

CYSEC is the Cybersecurity faculty of the Technical University of Darmstadt and performs internationally renowned research in numerous areas of cybersecurity.

National Institute of Information and Communications Technology (NICT) - Japan

National Institute of Information and Communications Technology (NICT) - Japan

NICT is Japan’s sole National Research and Development Agency specializing in the field of information and communications technology.

Nubo Software

Nubo Software

Nubo’s Virtual Mobile Infrastructure creates a virtual corporate device on your employee smartphones and tablets. Enable unlimited mobility without leaving any data at risk.

ThreatAdvice

ThreatAdvice

ThreatAdvice is a provider of cybersecurity education, awareness and threat intelligence.

Grupo CFI

Grupo CFI

Grupo CFI is the largest Spanish network of data protection and cybersecurity professionals.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Atlantic Data Security

Atlantic Data Security

Atlantic Data Security is skilled in the analysis, recommendation, deployment, and management of all critical components of the security infrastructure.

J.S. Held

J.S. Held

J.S. Held is a global consulting firm providing technical, scientific, and financial expertise across all assets and value at risk.

Gotham Security

Gotham Security

Gotham Security delivers high-quality penetration testing, malicious adversary simulation, compliance program development, and threat intelligence services.

CERT.ar

CERT.ar

CERT.ar is the national Computer Emergency Response Team for the technical-administrative management of computer security incidents in the National Public Sector of Argentina.

Emantra

Emantra

Emantra specialises in the enablement of Secure Cloud services through it’s comprehensive Sovereign Cloud Hosting, Secure Access Service Edge, and managed services.

Career Smarter

Career Smarter

Career Smarter offers accredited online courses in cybersecurity and other sectors, helping learners gain industry-recognised certifications.

CyFox

CyFox

CYFOX is at the forefront of cybersecurity innovation, specializing in providing cutting-edge AI-driven solutions tailored for any businesses.

Element

Element

Element is a new type of communications platform. It combines consumer messaging apps, collaboration tools and video conferencing to replace email, address shadow IT and improve security.