Clinton Email Fiasco: Did you look at the footnotes?

Did Clinton unwittingly become the face of Shadow IT? Some lessons worth noting.

Pratima Harigunani
New Update

John Hurley


USA: It all started with a home-based server that carried state secrets.

Up until the most recent occupant, few others in the position of Secretary of State had used the official email address to conduct government business, mostly because email had only relatively recently been introduced. Of the preceding Secretaries of State, Condoleezza Rice, Colin Powell and Madeleine Albright, only one, Powell, used email frequently and he also relied on a personal email account to do it.

However, most former Secretaries of State didn’t rely on a private server, hosted in a Chappaqua home, to conduct official government business.


In 2015, when Clinton was being investigated for a different matter, congressional investigators noticed that she had never sent any emails from her official email account. This proved to be a problem since many of the emails contained information vital to national security. While the State Department’s official server was secure by government standards, the private email and server did not have the same level of security and were vulnerable to attacks. Since then, Clinton has unwittingly become the face of Shadow IT.

At this moment, most businesses probably aren’t sharing state secrets, but information that’s just as vital to the company is flowing in and out every minute, often on devices and sites that aren’t IT-approved or that IT has no knowledge of. This trend, known as Shadow IT, is the use of hardware or software that is not approved by IT for company, or in Clinton’s case, government use.

John Hurley John Hurley


Why is Shadow IT So Common?

It’s not that employees want to use apps, devices or programs that bypass IT, it’s that they want to get their jobs done and will find ways to accomplish that, even if they’re outside of IT’s approval.

Often an employee is given outdated tools that make certain tasks more onerous than they should be. Sometimes IT has a tool that could be used, but employees have not been educated on its use.


Although they shoulder the majority of blame, it’s not IT’s fault either — they may have a slow approval process or don’t have it in the budget to be constantly tracking every new technology that employees could be using. They may set down guidelines for file sharing tool and cloud account use but management doesn’t enforce them, meaning that employees ignore them.

By now, businesses are starting to feel the effects of Shadow IT. According to a study done by Cisco, IT departments think their companies are using somewhere around 51 cloud services. But when asked, respondents of Cisco’s study owned up to using more than 730 different cloud services. IBM released a Cost of Data Breach study in 2015 that found that, all together, data breaches can cost a company an average of $3.8 million. Broken down, that’s about $145 to $154 per sensitive document or file.

How to Identify Shadow IT


There is a Catch-22 when it comes to Shadow IT. Even though IT does not permit the use of outside apps or programs, they’re still responsible for what happens when employees do go outside the business for file sharing or management. Even when IT hasn’t asked for or approved an app, employees may come to them for help with it. It’s up to the IT department to monitor and detect usage that may harm the company or lead to a data breach.

So, what should IT departments do?

1. Monitor Bandwidth


With a good bandwidth monitoring tool, you should be able track more than just performance. Start looking at the traffic from devices and web applications. If you find that certain employees are hogging bandwidth more than others, even though they should technically be using the same software or tools, it’s possible they’re using outside applications or cloud providers.

On a similar note, you should measure file sizes as they leave your network. Use visual analytics tools that allow you to see the sizes that are being transferred.

2. Auto Discovery


Auto discovery helps to find new devices that are plugged into networks by pinging them. If it’s a smartphone, it’s not so much the device that will cause the problem but the apps on the device. Who’s using an unauthorized device and for what reason? Other devices to keep an eye out for are anything from wireless access points to flash drives and external hard drives where employees may be removing sensitive data from the company.

3. URL Filtering

Cloud services use a web-based interface to access their services. Try using a URL filtering tool to track all of the major cloud service websites employees are using. You can start blocking sites that provide the most risk, but know that employees may just switch to using a mobile device if they can’t access it on a work computer. The more IT departments attempt to lock down usage, the more likely employees are to seek outside resources.

4. DLP and DAM

Using a cloud Data Loss Prevention (DLP) tool can help you scan inside of cloud files to find if sensitive company documents are vulnerable. Database Activity Monitoring (DAM) tools can help identify large data dumps to cloud providers that aren’t approved. Most, if not all, of these tools come with activity alerts that can prove helpful in monitoring.

5. Outsource It

If you don’t have the time or ability to track shadow IT, you can outsource it. Several companies have popped up in response to the shadow IT threat. Like services for tracking all cloud site usage, or tools that detect cloud apps and shadow apps or certain products that monitor usage in several places, including Salesforce, Office 365, Box, Dropbox and Google Drive.

6. Start Talking

It’s unlikely that IT will ever completely eliminate Shadow IT usage, because it’s an issue that touches every level of a company. Company culture has an effect, too -- for example, are employees told not to bring in their own devices while the C-level execs bring in a new smartphone every other week? This kind of imbalance can cause employees to do as they see, not as they’re told.

Having a good rapport with employees can be especially beneficial. First, find out why employees are using non-approved apps and programs. Is it cutting their work time in half? Does it have a better UI or response time? There’s most likely a good reason they’re using it.

Once you find the results, educate them about the tools you already have or consider adopting a business version of the tools they’re used to.

Next, put policies in place and make sure they are well known. Start annual training sessions that educate employees about the security risks and data breaches they are opening the company up to when they engage in Shadow IT behaviors. Management will need to be involved to enforce attendance and adherence with the policies.

If you take the time to explain to them why and how their usage is affecting the company, they may stop. You may also find some valuable programs that would be worth looking into. For instance, if your employees love to use cloud sharing products, find one that has the ease-of-use of a consumer cloud product with the security and protections of an enterprise-level product. Eventually, you may be able to curtail some of the effects of shadow IT and make employees happy and productive without putting your security at risk.

(John Hurley is president and co-founder of SmartFile which provides and secures file sharing and file management. The views expressed here are those of the author and CyberMedia does not necessarily endorse them)

columns shadow-it cio-insights