Hidden Data Everywhere: Why It’s Important to Have Complete Visibility for Data Security

Effective data discovery is essential for effective data security and a crucial part of discovery is having visibility. Even if you have excellent discovery methods in place, you're at risk to the degree that you don’t apply them to all parts of your organization. 

Hidden data is everywhere, and it’s up to you as a security leader to ensure you’re on top of your company’s entire digital footprint. It’s the only way to truly ensure data and asset security.

Shadow IT, even more important in the age of AI

Every new employee represents additional risk if they’re not properly onboarded into the organization’s protocols for IT-related tasks. A lack of training regarding what the employee can and cannot share opens the door to risk. This results in shadow IT, which can be a major risk factor for organizations.

Shadow IT may be as innocuous as adding a third-party app to help with social media, or running voice recordings through a cloud-based voice transcription site that holds onto data—a minefield for companies in highly regulated sectors.

This is a much more pressing risk with AI. Whether as a one-off conversation with an AI chatbot, or a more involved integration, a massive data risk exists when it comes to AI. Simply using ChatGPT might throw companies into data non-compliance, especially while a current court order that enjoins OpenAI to retain every customer conversation remains in force. Regarding more integrated partnerships, companies utilizing AI coding agents risk having confidential, proprietary code shared with third parties. 

Employees might not know what should and shouldn’t be divulged to AI, especially if the usage includes uploading key documents or integrating databases as part of more involved initiatives. Implementing technical safeguards is essential so that employees don’t fall into the trap of thinking that sharing with AI is okay “just this one time” or “for just this little innocuous piece of information.” 

Managing shadow IT, especially with the advent of AI, can be a challenge. It’s not realistic to eliminate it completely and, as CTO of Safetica Zbynek Sopuch says, “shadow IT arises from  employees’ need for convenience, agility, and modern tools.”

Almost all major companies have added AI functionality to their products, meaning that AI is now available in many services that employees will need to legitimately use. Companies may also spearhead organizational initiatives to incorporate AI into multiple departments.

All of these scenarios, whether large or small, add a new level of risk for a company’s data, which is why establishing an organization's AI policy and framework is even more important than building in safeguards. 

A company’s AI framework should define which usage is acceptable and which isn’t. It should also help users understand the full risks associated with even seemingly innocuous use, as well as which services might have AI integrated into them. 

Sopuch recommends that when it comes to AI, “organizations should focus on safe enablement, providing “safe-to-try” sandboxes and clear data boundaries that let teams explore new technologies without exposing critical systems.” By ensuring visibility, trust, and defined escalation paths are in place, organizations can actually leverage shadow IT to their own advantage, turning it “from a security risk into a structured path for innovation, one that balances creativity with control.” 

The realities of modern work environments

People don’t work in one place anymore like they used to. In a single day, employees jump between devices, locations, and networks. 

Sensitive data follows them everywhere. 

This includes bring-your-own-device (BYOD), but goes beyond that as disparate work environments have become the norm for organizations. The challenge here is on whether your company has enough data visibility in place to monitor multiple device usage. This applies regardless of whether the device belongs to the employee or the company. 

BYOD policies came into vogue with the proliferation of smartphone usage in work environments and the shift to the cloud. The global COVID pandemic accelerated matters because remote working became the norm in many places, and BYOD became a de facto practice. 

Solutions, tools, and processes that facilitate visibility, management, and secure data practices typically can’t be placed on personal devices. Even if they are, tools like mobile device management (MDM) and similar solutions are highly invasive and typically remove ownership controls from the employee and move them to the employer. Naturally, employees resist this. 

It’s also unreal to expect employees to only access a work resource from company-only devices while at the same time expecting them to be “always on,” as is often the case in our connected age. Requests to “quickly check into this email” or similar can be completely stopped if an employee can’t log in to their work email or portal from anything but a sanctioned, correctly provisioned work-approved device. 

As a security leader, it’s impossible to control non-company devices, whether that device belongs to an employee, is a public computer at a library, or is an employer-owned device connecting to a public Wi-Fi network. Instead, leaders must focus on bringing visibility into when and how employees are connecting to anything tied to your organization, as well as visibility into the data itself. This way, you can monitor and protect your data regardless of the device being used. 

Third-party risk

Third-party risk is an ever-present reality and should be part of your visibility and management strategy. Such risks can come in the form of SaaS providers, cloud service providers, software development dependencies, or business outsourcing. 

Third-party visibility refers to how third parties interact with and connect to your organization’s assets, data, integrations, and more. In a sense, it could be considered a form of Shadow IT, but significant enough to note it on its own.

The stories of third-party-related data breaches are numerous, such as the 2019/2020 SolarWinds supply chain attack, which led to malicious software being installed in 18,000 organizations, including federal departments and multiple Fortune 500 companies. The resultant breach was described as “the gravest cyber intrusion in [the United States] history.” 

The 2019 breach at Capital One that resulted in 100 million stolen credit applications occurred because of a misconfigured AWS server. 

A vulnerability in a third-party logging tool called Log4j resulted in hundreds of millions of compromised computers in 2019, prompting Germany’s Federal Minister of Information Security to designate the threat with its highest threat level. 

To address third party risk, companies need to gain visibility into how these third-parties interact with their systems and companies. While in an ideal state, security leaders should work only with reputable third-party companies that pose no risk, it’s a hard fact that vulnerabilities will always exist, and that there’s no such thing as hacker-proof software. By having visibility into third parties and their applications, you can quickly adjudicate if those parties have access to more information than they strictly need. 

For example, the notorious MoveIt hack could’ve been largely mitigated if organizations had encrypted their data before transferring it. A simple public-private key encryption strategy would’ve rendered stolen data useless to the hackers. Visibility into unencrypted data at rest would’ve given security leaders insight into this risk exposure before it became a problem. 

Third-party support services, such as outsourced tech support, might also have escalated privileges on your network. So conducting an audit on which entities have elevated privileges and excessive data access and which ones actually need it is vital. 

Visibility is crucial for comprehensive data protection

Knowing where to look is just as important as how to look regarding data security and discovery. The above points are extremely common but also completely addressable.

“Improving visibility over un-owned channels requires the right mix of technology, policy, and continuous employee education,” says Sopuch. “Solutions such as Data Loss Prevention (DLP), and cloud-based or virtual workspaces help separate personal and business environments, keeping corporate data protected even on employee-owned or third-party systems. Combined with user awareness, ongoing monitoring, and clear governance, these measures provide both security and convenience, ensuring visibility without limiting productivity.”

Zbynek Sopuch, CTO at Safetica

By ensuring you have a plan to bring visibility into shadow IT, multiple devices, and third-party risks, you can take steps toward making your data loss prevention (DLP) and data security strategy more foolproof.

How to obtain that visibility is another matter. You could opt for multiple tools that add complexity, or a single tool such as Safetica’s comprehensive data discovery and classification solution. However, Sopuch recommends to consider visibility over un-owned channels more strategically rather than something to avoid as much as possible.

“Instead of resisting this trend, organizations should focus on making secure operations just as convenient,” he says. “Cloud services, web-based applications, and thin or virtual clients enable users to work safely from any device while keeping corporate data within managed and controlled environments.”

Zbynek Sopuch, CTO at Safetica

Whatever you do, it’s important to understand that full security goes beyond active threat detection and extends to obtaining visibility into your data, wherever that data is.