SaaS and compliance: The role of shadow IT and GDPR
Think unauthorized use of SaaS applications in your SME is harmless? In light of GDPR, Shadow IT could potentially cost your company up to $22 million or 4% of annual global turnover. Learn more about the potential risks here.
We recently wrote about the four main SaaS security issues in 2020. In the article, we referenced the explosion in SaaS adoption and noted the inherent challenge for cybersecurity professionals in keeping up with this growth.
The growth of these SaaS security issues directly correlates with the increase of “Shadow IT,” i.e., software applications used within organizations without explicit organizational approval. If you don’t know something exists in the first place, it’s impossible to monitor the security risks involved.
When a negligent practice becomes incredibly widespread, it can be easy to dismiss it as harmless at best and a nuisance at worst. However, you can no longer take this viewpoint. The fundamental problem is that data is processed through these SaaS applications, and you have no oversight as to what this data is and whether these channels are secure or not.
With GDPR in Europe and similar legislation commonplace across the globe, companies must now, more than ever, put an end to shadow IT or risk the consequences of being heavily penalized by these laws.
The challenge is that the scale of Shadow IT within organizations is immense. A study from IBM found that one-third of employees at Fortune 1000 companies regularly use SaaS apps that have no explicit approval from their internal IT departments.
For example, employees might place a client file on their personal Google Drive to work on it over the weekend. Their own personal Gmail account might not have the same level of security settings as other approved apps. If a security breach occurs, your IT team won’t be aware of the full potential scope of the threat, leaving the company unsure of what data is compromised and when it happened.
This anecdote becomes even more problematic when you look at an event like this from a compliance perspective.
The Implications of GDPR
The connection to GDPR comes when shadow IT introduces “unregistered data sources” to the business, as illustrated by the above example. Almost every SaaS application, whether it be a mobile CRM app or a project management tool stores or manipulates data in some way.
It’s likely that if the IT department doesn’t know about this data, then the Data Controller won’t either. If the data controller doesn’t know about this data, then it is not meeting its GDPR obligations. How can a business honor a customer request to delete all its data if it is unaware that one of its Account Managers has a copy of his file on his Google Drive?
If a data breach were to occur due to a blunder like this, it could potentially cost your company up to $22 million or 4% of annual global turnover. As you a result, you need to think about the processes and procedures you can put in place to guarantee SaaS data protection and compliance.
Closing Thoughts on SaaS Shadow IT
Only 28 percent of IT leaders are using some kind of SaaS management tool to get the kind of visibility into shadow IT that’s necessary to adequately protect their data and systems. This lack of visibility is problematic for a number of reasons.
Beyond the obvious risks to your organization, regulatory compliance is critical these days. There are lots of standards that organizations have to comply with, from Software Asset Management (SAM) to the General Data Protection Regulation (GDPR). This is especially true for regulated businesses, where the use of shadow IT can lead to large fines for violating compliance requirements.
Before you bring these applications out of the shadows, you need to figure out how to detect these unapproved SaaS solutions running within your corporate network. If you want to learn about this process, get in touch with us today.
As President and CEO, Derik leads the vision, strategy and growth of Augmentt. Prior to founding Augmentt, Derik was the Vice President at SolarWinds, leading the digital marketing strategy for SolarWinds’ Cloud division. Derik has been working in the channel for over 20 years, starting his career as a channel sales rep at Corel Corp. and eventually becoming the first employee at N-able Technologies in April of 2000.
Augmentt is a centralized SaaS security platform built for MSPs to deliver scalable managed security services for Microsoft and cloud apps. Our multi-tenant platform gives you visibility across all your end-users to easily audit, protect and detect security threats for a holistic approach to cyber security.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.