Amplify Platform

GDPR overexposes shadow IT

GDPR and IT Shadow

Cloud computing paves the way for shadow IT

Shadow IT is described as IT solutions used within a company without organizational approval. It’s the IT activity that takes place in the shadows without the usual security and control requirements on data placed under the responsibility of the company.

Shadow IT predates the cloud when many employees downloaded and installed their own software to achieve tasks. Since cloud solutions come with an easy-to-consume (starting with freemium account) and easy-to-use paradigm, the potential lack of control is astounding. Symantec states that “organizations use 20 times more cloud apps than they think.”1 Corporate IT security professionals estimate they have 30 to 40 apps in the cloud, when the reality is a staggering 928 apps.

Shadow IT does not meet security requirements

The main reason shadow IT emerged was usability and price. Security is still not considered by end users and is often seen as a constraint. As a consequence, “only 8.1% of cloud services meet enterprise security and compliance requirements,”2 states a recent Skyhigh networks report.

Shadow IT: the digital workplace and CCPs

In addition to a focus on the digital workplace, shadow IT also relies on Content Collaboration Platforms (CCP) as defined by Gartner in a recent Magic Quadrant report. “Of the 1,427 cloud services used by the average company, 342 are related to collaboration, file sharing, content sharing”2 (Skyhigh networks report). In addition, “25% of all files shared in the cloud are broadly shared” 1 (Symantec). According to Symantec, this shared data contains personal data for “3% of those shared files contains current compliance related data (PCI, PII, PHI)”1.

The digital workplace in a GDPR perspective

The European Union’s new GDPR (General Data Protection Regulation) is a game-changing regulation that will bring a new focus to shadow IT for any company doing business in Europe. When the rules take effect in May 2018, the GDPR will require:

  • A focus on shared data, not only broadly shared data
  • A focus on all personal data (anything that identifies someone), not just PCI, PII, or PHI
  • Reports of personal data leaks within 72 hours
  • A stronger assessment and monitoring of the conditions of data transfer between entities and across boundaries
  • More rigorous sanctions that can impact a company’s reputation and bottom-line:
    • A GDPR violation can generate a penalty up to 4% of the global revenue of the companies involved in the data processing
    • This is on top of any damages done to individuals
    • A company’s image or brand can be severely damaged

What to do now?

No one can stop the move to GDPR. It’s time to standardize existing EFSS solutions into one that:

  • Offers GDPR-aware features (privacy by design)
  • Provides the company DPO (Data Protection Officer) with the necessary control of all data, including location of data
  • Provides the user’s expected features and usability, securely, protecting them and their organization
  • Delivers expected IT security features, like granular-group based policies, remote wipe and others that protect the user, while also giving the freedom they require to do their jobs

Besides GDPR compliance, there are other immediate rewards to standardizing on an industry leading, secure solution such as reduced costs and easier collaboration for all employees.

GDPR is coming, and it’s coming fast. If your organization is guilty of a lot of shadow IT, take the time to get your IT business in order. Your company’s image, revenue, and data will thank you.

[1] Symantec: 2H 2016 Shadow Data Report

[2] Skyhigh networks report: Cloud adoption risk report Q4 2016