Shadow IT — the use of IT systems within an organization without the knowledge or approval of corporate IT — has long been an issue for businesses across industries. From risking the unauthorized leaking of proprietary information to exposing unintended attack vectors to hackers, shadow IT can subvert the efforts of an IT department to keep a company’s systems secure.
Now, with the newly imposed regulations of General Data Protection Regulation (GDPR) and more legislation on the horizon, the fallout of an uncontrolled shadow poses an even greater risk — fines up to four percent of a businesses’ revenue in penalty for even a single infraction. Now, more than ever, it is imperative to understand how ‘unapproved software’ impacts your organization. These can range from the benign use of a personal Gmail account, to the heavy usage of efficiency platforms such as Trello or Asana.
While these tools might boost employee productivity and improve overall team communication, their unauthorized use is problematic. Businesses today need to balance the constraints of enabling employees to perform their best while complying with regulations. Using a SaaS platform requires clarity into how data is stored and processed to ensure it meets the strict guidelines set forth by GDPR. When it comes to controlling shadow IT, here are four steps any business can take to make sure that shadow IT doesn’t drag business down:
- Putting Process in Place
The first step in taking control of your IT is to promote standardization. Regardless of whether or not GDPR requires your company to assign a data privacy officer (DPO), having an established chain of command — an entity or hierarchy from which all decisions on IT will emanate — to maintain responsibility for necessary changes taking place efficiently. Shadow IT often arises due to a company’s inability to provide employees with the tools they need, when they need them. Whether DPO, CIO or otherwise, a person dedicated to a leadership position will work to discern current practices, establish effective guidelines, implement necessary tools and perform enforcement measures moving forward.
- Shine a Light on Shadow IT
The next step is to perform a full audit of all technology being used by your employees, which may take more than simply asking. Examine network traffic and identify any external tools that employees may be using without consent. In this modern era of cloud-based SaaS, employees may not even realize that the tools they are using are a threat. This is not, however, an attempt on your part to discipline employees for using external tools, but rather to identify what tools are being used and why. Shadow IT most often exists to fill in the gaps where authorized tools fail to provide needed functionality.
If employees are relying on Dropbox, for example, you may need to identify an enterprise file sharing solution (EFSS) that meets your needs and implement it companywide. Your job here is to assist your employees in performing their duties, and that may come first and foremost by observing their current methods, rather than simply imposing top-down restrictions and forcing them to use tools that fail to meet their needs.
- Set Standards
Once you have properly assessed your employee needs and taken a full inventory of current practices, you need to make some decisions. As we noted, shadow IT arises out of need, and once those needs are identified, they need to be met with standardized solutions that are company-based. In choosing these solutions, you should strive for a balance of privacy and operational tools, but don’t make it too complicated. If your tool set is too confusing for the end user, mistakes will be made and you may find yourself in violation of GDPR guidelines. In this post GDPR era, enterprise organizations must make an overreaching decision to restrict personal information and employ solutions that offer mechanisms for control of information sharing. One simple step you can take in choosing tools is to ensure that they are themselves GDPR compliant.
- Educate, Enforce and Empower
Finally, proper training is key in the GDPR era. Employees need to be made aware of implications of these new regulations and what they mean for their workplace practices. Employees can take care to handle information more carefully if they understand the implications of doing otherwise. Beyond education, however, enforcement is also necessary. This means that employees require clarity around any IT sidestepping, what exactly unauthorized use is and how to go about asking for solutions that they want to use.
Long-standing No More
Shadow IT is no longer simply a security risk, but also one that can bring about severe financial repercussions to your business. With the strict regulations of GDPR, unapproved software and ill-informed users can damage your bottom line. To tackle this issue once and for all, now is the time to implement workplace guidelines that focus on the important threats while educating employees about their responsibilities to the bigger picture.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.