SaaS and compliance: The role of shadow IT and GDPR

Think unauthorized use of SaaS applications in your SME is harmless? In light of GDPR, Shadow IT could potentially cost your company up to $22 million or 4% of annual global turnover. Learn more about the potential risks here.


We recently wrote about the four main SaaS security issues in 2020. In the article, we referenced the explosion in SaaS adoption and noted the inherent challenge for cybersecurity professionals in keeping up with this growth.

The growth of these SaaS security issues directly correlates with the increase of “Shadow IT,” i.e., software applications used within organizations without explicit organizational approval. If you don’t know something exists in the first place, it’s impossible to monitor the security risks involved.

You might be thinking, how bad an issue can Shadow IT really be?  Research from the Everest Group found that a whopping 50% of technology spend lurks in the shadow. This figure means that the average SME IT department is entirely in the dark about half of the technology in use. Consider this: Corporate IT security professionals estimate they have 30 to 40 apps in the cloud when the reality is a staggering 928 apps.

When a negligent practice becomes incredibly widespread, it can be easy to dismiss it as harmless at best and a nuisance at worst. However, you can no longer take this viewpoint. The fundamental problem is that data is processed through these SaaS applications, and you have no oversight as to what this data is and whether these channels are secure or not.

With GDPR in Europe and similar legislation commonplace across the globe,  companies must now, more than ever, put an end to shadow IT or risk the consequences of being heavily penalized by these laws.


The Risks of Shadow IT

The result of Shadow IT is that there are more potential security gaps and endpoint vulnerabilities that hackers and cybercriminals can potentially seek to exploit than ever. According to Gartner, a third of successful attacks experienced by enterprises will soon be on their Shadow IT resources.

The challenge is that the scale of Shadow IT within organizations is immense. A study from IBM found that one-third of employees at Fortune 1000 companies regularly use SaaS apps that have no explicit approval from their internal IT departments.

For example, employees might place a client file on their personal Google Drive to work on it over the weekend. Their own personal Gmail account might not have the same level of security settings as other approved apps. If a security breach occurs, your IT team won’t be aware of the full potential scope of the threat, leaving the company unsure of what data is compromised and when it happened.

This anecdote becomes even more problematic when you look at an event like this from a compliance perspective.


The Implications of GDPR

The connection to GDPR comes when shadow IT introduces “unregistered data sources” to the business, as illustrated by the above example. Almost every SaaS application, whether it be a mobile CRM app or a project management tool stores or manipulates data in some way.

It’s likely that if the IT department doesn’t know about this data, then the Data Controller won’t either. If the data controller doesn’t know about this data, then it is not meeting its GDPR obligations. How can a business honor a customer request to delete all its data if it is unaware that one of its Account Managers has a copy of his file on his Google Drive?

If a data breach were to occur due to a blunder like this, it could potentially cost your company up to $22 million or 4% of annual global turnover. As you a result, you need to think about the processes and procedures you can put in place to guarantee SaaS data protection and compliance.


Closing Thoughts on SaaS Shadow IT

Only 28 percent of IT leaders are using some kind of SaaS management tool to get the kind of visibility into shadow IT that’s necessary to adequately protect their data and systems. This lack of visibility is problematic for a number of reasons.

Beyond the obvious risks to your organization, regulatory compliance is critical these days. There are lots of standards that organizations have to comply with, from Software Asset Management (SAM) to the General Data Protection Regulation (GDPR). This is especially true for regulated businesses, where the use of shadow IT can lead to large fines for violating compliance requirements.

Before you bring these applications out of the shadows, you need to figure out how to detect these unapproved SaaS solutions running within your corporate network. If you want to learn about this process, get in touch with us today.


Want to learn more, please check out our SaaS Security eBook.

Derik Belair

As President and CEO, Derik leads the vision, strategy and growth of Augmentt. Prior to founding Augmentt, Derik was the Vice President at SolarWinds, leading the digital marketing strategy for SolarWinds’ Cloud division. Derik has been working in the channel for over 20 years, starting his career as a channel sales rep at Corel Corp. and eventually becoming the first employee at N-able Technologies in April of 2000.
SUBSCRIBE for more resources
Related Content

Agent and Agentless

    When it comes to Augmentt Discover, we believe in flexibility and power. Augmentt Discover can collect SaaS usage data using both an Agent and Agentless model. Here is a quick [...]

    Product Evaluation Guide

      Thank you for starting your Augmentt Product Evaluation and Trial   Here are a few resources that will help you through this technical process. Support Technical Support is available to [...]
      Augmentt is a centralized SaaS security platform built for MSPs to deliver scalable managed security services for Microsoft and cloud apps. Our multi-tenant platform gives you visibility across all your end-users to easily audit, protect and detect security threats for a holistic approach to cyber security.

      Want to get the latest resources in Saas Security?

      Join our mailing list and we’ll only send you value-add content.