The Risk of Shadow IT to Startups

Your startup is coming together with 5 colleagues who are consulting with other companies or moonlighting from their current jobs.  You’re making presentations to investors and interviewing candidates for key founding roles.  It’s an exciting time. You’re all thinking about the product and market opportunity, not about the security of the valuable IP being created. Everyone is using different IT tools – personal consumer email, Dropbox, Office 365, Google Docs, etc. As companies get formed, it is not uncommon for this ad-hoc structure to persist for some time.

We recently wrote about the concern for emerging companies of losing valuable IP through AI platforms, sometimes called “Shadow AI”.  Another risk to proprietary information is the individual use of insecure public services by employees, often referred to as “Shadow IT”.

Shadow IT is a significant concern for venture-funded companies whose very existence may be based on keeping their product secrets private.  Small, rapidly growing companies often rely on the flexibility and initiative of their small staffs to get stuff done quicky with whatever tools are readily available.  Entrepreneurs are not likely to wait around for approved policies or for IT to meet their immediate needs.  They often do company work on their personal home computers and phones, mixing company data with personal data.  Whenever a service or device is used that is not controlled and secured by the company, you are at risk of exposing sensitive information that can harm the company. These could be in sales proposals, contracts, financial reports, private correspondence, investment and strategy documents, patent filings, key scientific results or technical product communication threads.

We’ve found that these habits can persist long after startups have set up their own IT infrastructures.  The later this is addressed, the bigger the mess there is to clean up.  Yet, we can’t deny that it’s unrealistic to expect entrepreneurial teams to work in an overly restricted IT environment.  A reasonable, practical solution is needed.

Where are the risks?

• Cloud applications: file storage, chat, messaging, email, other business and consumer apps.
• Insecure services provide vectors routes for exfiltration export of proprietary IP outside your control.
• They may also provide openings for ransomware, malware and other malicious attacks.
• Potential loss of devices (phones, computers) storing company data.

What to do

• A comprehensive approach is needed to combat these risks.
• First, set up company-controlled cloud resources from pre-vetted vendors that meet employees’ needs:  email and productivity apps, cloud storage, video conferencing, departmental apps for sales, HR, product development, data management, scientific analysis, labs, etc.  A Managed Service Provider familiar with the specific industry and stage of business can provide invaluable help to design a secure yet practical IT ecosystem.
• Restrict access through the firewall and SSE (Secure Service Edge) tool to known insecure destinations.
• Deploy endpoint management software on phones, computers, servers to restrict insecure access from devices when they are outside the network, and monitor apps being used.
• Monitor for insecure behavior with a SIEM (Security Information and Event Management) tool.
• Conduct employee training on authorized company IT tools and warn against use of known high-risk public tools.

Having served technology and life science startups for over 20 years, KalioTek’s team understands that it’s not realistic to expect most startups to care about the risks of shadow IT in their formative stage.  However, it is the responsibility of management to set a strategy for more secure operations, while giving employees the flexibility and practical tools to innovate and move quickly.