Another important aspect besides IT-Security in a technical sense are the human and organisational elements supplementing IT-Security.

The human and organisational factors are often underestimated in IT security considerations. There are various risks to IT-Security, in particular through social engineering or employees circumventing IT-Security measures. Both are a very common but important threat to the confidentiality and integrity of a company’s data and trade secrets.

While large companies have IT security departments – in some cases companies even are legally obliged to pro-actively maintain a high level of IT security through adequate organisational means such as creating IT security departments, e.g. German stock companies –, there are many companies in which such departments do not exist. That leads to responsibilities for data protection and data security being centralised within the responsibilities of the data protection officer of the company. However, assessing data protection on the one hand, and data security respectively IT-Security on the other hand needs different background knowledge on a technical level. At the same time, a high level of specific expertise is essential for assessing data security effectively, which typically cannot be expected from personnel being skilled in data protection. Therefore, it seems to be recommendable to consider creating data security officers as compulsory institution within companies independently of (existing) data protection officers.

A very important aspect that should be considered with regard to the human element is that users, even decision-makers, though being well aware of certain risks, tend to prefer usability over security. A very common example is the increased use of mobile devices by employees and decision-makers, which can be seen as one of the biggest threats to integrity and confidentiality of a company’s data, in particular due to the fact that it is often impossible to assess what code on third party provided mobile devices really does. However, decision-makers would want to use smart phones nevertheless, approving the aforementioned risks.

In order to minimise the risks arising from the human element, it is crucial to create awareness throughout the entire company’s personnel structure, in particular through adequate training on a regular basis. This should assist in creating and maintaining an understanding for threats and their nature throughout the company.

What should be considered when finding remedies for shadow-IT issues?

In general, the opposing interests to be considered when finding remedies are the need for a high level of (global) availability of data to those authorised to access it, while simultaneously maintaining the traditional level of IT security, which is fundamentally based on physically separated networks and storages. Moreover, departments dealing with IT-Security constantly have to fight with the fact that they allegedly do not fulfil users’ requirements, in particular when strict security policies are in place, and consequently fight against a “shadow IT” set up by the users. If processes are perceived too complicated by employees they will tend to find alternative solutions, such as using their private smart phones to send files to colleagues who need access, thereby entirely by-passing the IT-Security department.

This becomes even more problematic when critical infrastructures are concerned. One remedy could be the separation of different systems and networks, for example shutting off production units from the remaining network. However, these solutions face serious limits in flexibility and dynamisation, which leads to a need to balance increased security risks and gained productive efficiency.

Last but not least, sandboxing could be used as a remedy to create a reasonably controlled environment to keep security at least to some extent manageable, but this process of identifying adequate remedies is still very much in motion.