Cyber Bytes: Shadow Data and Its Cybersecurity Risks

According to Cybercrime Magazine, global data storage is expected to exceed 200 zettabytes in 2025. One zettabyte is equal to a billion terabytes or a trillion gigabytes. That’s a lot of data to secure.
Inside the corners of those storage systems lurks shadow data: unchecked and uncontrolled data that could expose your company’s sensitive information to criminals.
What is shadow data?Shadow data is information created, stored and managed inside systems or applications that aren’t under your company’s control or fly outside the radar of internal cybersecurity scans. It usually happens when employees use nonapproved or nonstandard applications for work-related activities. This is known as “shadow IT.” Employees are often well-intentioned when installing these applications, typically using the software for productivity and workarounds.
External networks might be less vigilant about policing downloaded apps or employees’ devices. But in-person employees can have the same effect if you don’t have a clear policy on safeguarding data, how it’s used and what’s shared on connected systems. These include Internet of Things devices, personal devices and artificial intelligence (AI) systems.
A shadow data example
Let’s say your employee downloads an outside application for a presentation they’re giving to their team. They upload proprietary company data as part of the presentation. Their app saves information to an unknown file location on your network and in the cloud. The file location isn’t part of the usual cybersecurity scans and remains off the radar.
A few weeks later, a cybergang breaches your company’s networks and discovers rogue apps installed on some computers. They’re familiar with the app and know where to find its backup files. (Hackers are adept at locating and exploiting cybersecurity weaknesses, including known software vulnerabilities and hidden backup files left by apps.) They grab the backup folders, knowing they could contain valuable information and they’re not encrypted because they’re not part of your company’s cybersecurity scans.
The cybergang isolates data from the employee presentation that contains internal tech and release notes about your top-secret product launch. They demand a ransom in exchange for not leaking your proprietary data.
Shadow data risks and mitigationsThe proliferation of data makes it harder to track and safeguard. Shadow data risk is a trending cybersecurity issue that debuted in IBM’s Cost of a Data Breach Report 2024. According to the 2024 report, shadow data breaches are rising in frequency and cost:

• 35% of all breaches involved shadow data.
• Shadow data theft costs 16% more than the typical breach.
• Shadow data breaches are harder to identify and contain, especially across multiple data environments (public cloud, private cloud and on-premises).
• 35% of breaches involved shadow data across multiple storage environments (public cloud, private cloud and on-premises).
• 25% of shadow data breaches were on-premises, confirming it’s not just a cloud storage problem.

To combat shadow data, you’ll need robust cybersecurity. This includes zero-trust architecture and strict policies on software and devices. (Zero-trust architecture treats all network traffic as a potential threat.)
Cybersecurity exposures and mitigationsHere are some other security considerations:

• Shadow data can lead to unsecured data, increasing the possibility of a breach.
• Shadow data may violate the General Data Protection Regulation and the Health Insurance Portability and Accountability Act. Sensitive data could be stored outside secured and compliant systems, resulting in legal troubles and severe fines.
• Uncontrolled applications can become outdated or lack adequate cybersecurity, making them a prime target for hackers. They could lead to a zero-day vulnerability in your system. (This is a vulnerability that’s unknown to software developers, until cybercriminals exploit it.)
• Shadow IT increases the chances of insider threats of stealing or manipulating your data.
• Shadow data may delay the detection of and response to cyber threats, leading to increased damage and substantial costs.

Here are some ways to mitigate shadow data risks:

• Set clear policies on using nonsanctioned applications. Communicate them to your employees.
• Run regular audits to uncover unauthorized applications within your company.
• Train your employees on the risks of shadow data when using nonsanctioned apps. Promote safer software practices.
• Implement technology solutions that discover, control and protect shadow IT.
• Involve your IT teams so they can assess application security and fit within your company’s IT ecosystem.
• Establish processes to back up critical data regularly.
• Stay current on evolving technology guidelines like the National Security Agency’s Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems.
• Use data privacy tools to identify sensitive data stored on your networks, especially on generative AI systems.

AI shadow data riskIBM’s report also addressed the need for companies to secure AI systems. Set up safety measures if you’re using AI in any part of your workflow.
Secure your AI data, including AI training data, to avoid theft and misuse. Hackers could pollute your AI’s training data to skew its outputs. They could steal intellectual property and sensitive information as shadow data uploaded as part of an AI prompt.
An AI shadow data example
Imagine you roll out a generative AI application on your internal networks. Your executive team has decided to share a summary of their quarterly updates on performance issues, finances, and strategic plans with some of the department heads. They ask AI to summarize the meeting document into a single-page overview, keeping all names anonymous. It returns an accurate summary without any personal information.
Unbeknownst to them, the AI incorporated the original executive document into its training data repository for future reference, leaving employee and financial information in an unsecured area. This shadow data puts your company at risk of noncompliance with privacy laws, leaving the doors open for lawsuits and other liabilities.
Shadow data awarenessKeep your data and employees out of the shadows. Be transparent about your cybersecurity policies and why staying within tech boundaries is essential. If there’s an application your employees regularly use, maybe it’s time to officially bring that software on board so employees can use it safely. Whether in the cloud or your internal network, ensure your cybersecurity plan works to bring shadow data into the light.

​Article: Cyber Bytes: Shadow Data and Its Cybersecurity Risks | F. Frederick Breuninger & Son Insurance, Inc. (myappliedproducts.com)

Joseph S. Regenski, III[email protected]

F. Frederick Breuninger & Son Insurance, Inc.
1140 W Lincoln Hwy
Coatesville, PA 19320
www.binsured.com

---