What is the risk of shadow data in your Not for Profit?
This week, IBM released an interesting study about the cost of cybersecurity data breaches. While the study is definitely based on enterprise-size companies, there are good lessons for smaller Not for Profit organisations too.
The study said that the average cost of a data breach is now about US$4.3 million (Note: Australian government data has this figure much lower, though still hurts). However, when shadow data has been attacked, that cost jumps to US$5.27 million. That’s because it takes so much more time to investigate the attack.
That’s scary when apparently 35% of breaches involved shadow data.
What is shadow data?
So, what exactly is shadow data?
It’s data that is not managed i.e. not stored in the primary systems and data locations of the organisation.
For Not for Profits, I come across shadow data everywhere. Examples I’ve seen include:
- 3rd party storage sites like Google Drive or Dropbox used to save and share sensitive information because it’s easier than doing so from their secure SharePoint site.
- Downloaded and/or printed documents of stakeholder data.
- Data sitting in old servers that are no longer managed and yet not decommissioned.
- Data stored in free or cheap third-party software bought with a credit card.
- Stakeholder data stored by third-party service partners that can vary from event managers, tele-fundraisers and advisors.
The risk of shadow data
Shadow data, by its nature, is not controlled. Those managing the other data systems (like the IT department or Managed Service Provider) probably don’t even know these locations exist.
As a result, the data is not classified or restricted or managed, adding significant risks to the organisation for a cyber breach.
The risk of using AI tools
There is an additional risk of sharing data with AI tools. The study provided an example of a healthcare organisation sharing X-rays with an AI cloud tool to identify anomalies.
However, given the easy-to-penetrate nature of such tools, a hacker could easily intercept that upload and demand a ransom payment to avoid sharing it with the world.
While I haven’t seen any Not for Profits use AI tools this way yet, I do know of employees that have uploaded spreadsheets of data into such tools to analyse them.
This risk is real!
How to reduce your shadow data risk?
In my experience, most Not for Profits don’t do a great job of managing their primary data. Nevertheless, shadow data must also be addressed in any data strategy.
Here are a few ways to reduce your risks.
- Conduct a data inventory with the additional intent of locating any shadow data.
- Classify your data – most Not for Profits have not done this even for their managed data sources.
- Create policies and procedures to manage all data (some can be set up within the systems themselves), including the need for eliminating shadow data where possible.
- Add an Acceptable use of AI policy
- Train staff to manage data appropriately – this is never done and yet the biggest return on investment for reducing such risks!
Final thoughts
While most Not for Profits struggle to manage their primary data sources, there are significant cybersecurity risks for shadow data as well.
Organisations that recognise this risk and include mitigations into their overall data strategy will have a stronger cybersecurity posture
I regularly help Not for Profits with cybersecurity audits and risk mitigations. Let me know if you need some help.
P.S. If you found this article helpful, you might want to read these too:
Tammy Ven Dange is a former charity CEO, Association President, Not for Profit Board Member and IT Executive. Today, she helps NFPs with strategic IT decisions, especially around investments.
