Think unauthorized use of SaaS applications in your SME is harmless? In light of GDPR, Shadow IT could potentially cost your company up to $22 million or 4% of annual global turnover. Learn more about the potential risks here.
We recently wrote about the four main SaaS security issues in 2020. In the article, we referenced the explosion in SaaS adoption and noted the inherent challenge for cybersecurity professionals in keeping up with this growth.
The growth of these SaaS security issues directly correlates with the increase of “Shadow IT,” i.e., software applications used within organizations without explicit organizational approval. If you don’t know something exists in the first place, it’s impossible to monitor the security risks involved.
You might be thinking, how bad an issue can Shadow IT really be? Research from the Everest Group found that a whopping 50% of technology spend lurks in the shadow. This figure means that the average SME IT department is entirely in the dark about half of the technology in use. Consider this: Corporate IT security professionals estimate they have 30 to 40 apps in the cloud when the reality is a staggering 928 apps.
When a negligent practice becomes incredibly widespread, it can be easy to dismiss it as harmless at best and a nuisance at worst. However, you can no longer take this viewpoint. The fundamental problem is that data is processed through these SaaS applications, and you have no oversight as to what this data is and whether these channels are secure or not.
With GDPR in Europe and similar legislation commonplace across the globe, companies must now, more than ever, put an end to shadow IT or risk the consequences of being heavily penalized by these laws.
The Risks of Shadow IT
The result of Shadow IT is that there are more potential security gaps and endpoint vulnerabilities that hackers and cybercriminals can potentially seek to exploit than ever. According to Gartner, a third of successful attacks experienced by enterprises will soon be on their Shadow IT resources.
The challenge is that the scale of Shadow IT within organizations is immense. A study from IBM found that one-third of employees at Fortune 1000 companies regularly use SaaS apps that have no explicit approval from their internal IT departments.
For example, employees might place a client file on their personal Google Drive to work on it over the weekend. Their own personal Gmail account might not have the same level of security settings as other approved apps. If a security breach occurs, your IT team won’t be aware of the full potential scope of the threat, leaving the company unsure of what data is compromised and when it happened.
This anecdote becomes even more problematic when you look at an event like this from a compliance perspective.
The Implications of GDPR
The connection to GDPR comes when shadow IT introduces “unregistered data sources” to the business, as illustrated by the above example. Almost every SaaS application, whether it be a mobile CRM app or a project management tool stores or manipulates data in some way.
It’s likely that if the IT department doesn’t know about this data, then the Data Controller won’t either. If the data controller doesn’t know about this data, then it is not meeting its GDPR obligations. How can a business honor a customer request to delete all its data if it is unaware that one of its Account Managers has a copy of his file on his Google Drive?
If a data breach were to occur due to a blunder like this, it could potentially cost your company up to $22 million or 4% of annual global turnover. As you a result, you need to think about the processes and procedures you can put in place to guarantee SaaS data protection and compliance.
Closing Thoughts on SaaS Shadow IT
Only 28 percent of IT leaders are using some kind of SaaS management tool to get the kind of visibility into shadow IT that’s necessary to adequately protect their data and systems. This lack of visibility is problematic for a number of reasons.
Beyond the obvious risks to your organization, regulatory compliance is critical these days. There are lots of standards that organizations have to comply with, from Software Asset Management (SAM) to the General Data Protection Regulation (GDPR). This is especially true for regulated businesses, where the use of shadow IT can lead to large fines for violating compliance requirements.
Before you bring these applications out of the shadows, you need to figure out how to detect these unapproved SaaS solutions running within your corporate network. If you want to learn about this process, get in touch with us today.
Want to learn more, please check out our SaaS Security eBook.