Will GDPR make Shadow IT your worst nightmare?

Romy Hughes, director at Brightman, takes a look at how GDPR is forcing to take the security of Shadow IT seriously

‘Shadow IT’ – or the unauthorised use of applications or services that employees use without the knowledge or approval of their company’s IT department – has always been a thorn in the side of organisations who struggle to keep control of their data. You can’t budget for it, you can’t support it, it stifles productivity because not everyone is working from the same page, and it’s a cybersecurity risk. But, up until now, it has never been a compliance issue as well.

But all that’s about to change. On 25 May 2018, the General Data Protection Regulation (GDPR) will come into effect across the EU and completely overhaul how organisations handle and store their data. The new law will introduce new rights for people to access the information that organisations hold about them, impose obligations for better data management and provide a new regime of fines for non-compliance.

These fines are set at up to €20m or 4% of annual global turnover – whichever is higher.

By introducing such hefty fines for a data breach, the GDPR has helped Shadow IT graduate from being a mere nuisance to a potentially company-destroying issue. Every organisation that takes their GDPR obligations seriously must therefore include an investigation into their Shadow IT as part of their preparations. Those who choose to ignore Shadow IT are simply not compliant with the GDPR.


Why does GDPR put Shadow IT under the spotlight?

The connection to the GDPR comes when Shadow IT introduces “unregistered data sources” to the organisation i.e. data that is unknown to the Data Controller (the person legally responsible for the control, storage and use of personal information held on IT systems). Almost every type of IT, whether it be a piece of software or a device, stores or manipulates data in some way. At its most basic level, how can the organisation honour a customer request to delete personal data if it is unaware that one of its account managers has a copy of his file on an app on his iPad?


Shadow IT, what Shadow IT?

So you don’t think you have any Shadow IT in your organisation? Think again. A 2014 study (The Hidden Truth Behind Shadow IT) conducted by Stratecast and Frost & Sullivan found that 80% of employees admit to using non-approved applications in their daily working lives, usually through the Software-as-a-Service model.

Most software today is delivered via the cloud. Think of Salesforce, Slack, Dropbox etc., even Microsoft Office is now primarily purchased on a subscription model. All of this software can be procured by anyone with a credit card. Can the IT department confidently say that it knows about all instances of this software? If Amy from Marketing decides she wants to give Slack a go, she doesn’t need IT’s approval to do so. She just does it.

Perhaps you’re one of the few organisations that is 100% confident in its procurement procedures, and you know that no piece of software can be installed without IT’s knowledge or consent. Good for you, that’s quite a feat. But can you say the same thing for any devices that might be connected to your network? Is every iPad and smartphone connected to your wifi vetted and managed by IT?


Thinking about pulling the plug on Shadow IT?

Finding all the instances of Shadow IT is only the first step in addressing the problem. The challenge we are finding is that most instances of Shadow IT are not peripheral, incidental pieces of software – they actually run the organisations. Using one recent customer as an example, we found that 33% of its business-critical functions ran on non-core IT systems. Since the Data Controller cannot just turn these systems off in its pursuit of GDPR compliance, plans must be made to manage the data in these systems instead.


Evolve to survive: configuration management is your friend

Once the Data Controller has found and documented all of the customer data residing in Shadow IT, it is no longer Shadow IT. Hooray. But the challenge then is about maintaining an accurate view of all non-core IT systems, since new instances of Shadow IT (and thus unregistered data sources) can pop up at any time. This is where a proactive, cooperative and ongoing approach to Configuration Management must become part of the overall GDPR solution.

Traditional Configuration Management is about IT taking ownership of its domain. But this gatekeeper approach is what leads to Shadow IT in the first place. If it takes IT six weeks to provide a new employee with Microsoft Office, what is stopping a departmental head from simply throwing it on the credit card? The bottom line is that if employees are using Shadow IT such as Dropbox, Google Apps, Apple iCloud etc. for business-critical tasks, then it’s because the cloud services and applications the organisation is providing is not meeting their day to day organisation needs fast enough. Getting approval to install and approve them is just too slow or difficult.

We therefore suggest that IT takes advantage of the situation and works more closely with leaders to become an enabler. IT departments should carry out a comprehensive survey and then make informed choices about what services to promote or enable. Standardising processes and licences not only improves collaboration, but also cuts costs and if employees discover applications or services that make their jobs easier, that make them more efficient at selling or running a supply chain, then everyone’s a winner.

While this approach is not a simple or quick solution, this strategy is vital to addressing the root cause of Shadow IT – why does it exist in the first place? GDPR should be seen as an opportunity, not a challenge, and its imminent arrival should act as a welcome catalyst to taking decisive action. Anything that changes the way your company thinks about data and the cloud and starts moving it into the future has got to be a good thing.

Related reading