Data is a precious commodity for every organisation these days. But the ability to protect data, particularly in the cloud, is complex and often difficult to achieve. The challenge of securing data that’s stored in the cloud is further exacerbated by the fact that most organisations today use multiple cloud storage providers. This is supported by the findings of our recent study, which found that 89 percent of organisations use a total of 1-15 private cloud storage providers and 92 percent use 1-15 public cloud storage providers.
[easy-tweet tweet=”Data is a precious commodity for every organisation these days.” hashtags=”cloud, data, tech”]
By spreading data across several cloud storage providers – both private and public – organizations can diversify their portfolio of providers and mitigate their risk in the event that service outages occur or a provider goes out of business. But the more cloud providers organisations have in the mix, the more difficult it becomes to have full visibility into the use of all providers. And when visibility is limited, that can often lead to data management errors and shadow IT.
With IDC estimating that spending on cloud services will grow nearly five times faster than overall IT budgets, it’s absolutely vital that organisations take the necessary precautions to identify if shadow IT is occurring and then put the necessary processes, policies and monitoring mechanisms in place to reduce it.
What is shadow IT?
The term shadow IT essentially means that the IT department has had no role in helping to select and deploy services and may not know which services/providers are being used. As our recent study found, 26 percent of global organisations are either ‘not confident’ or ‘somewhat confident’ that their IT teams know about all cloud storage providers being used. With figures like that, it’s clear shadow IT is a serious problem and can cause serious harm to an organisation.
What does EU GDPR have to do with shadow IT in the cloud?
Shadow IT in the cloud, and out of it, puts organisations at risk of a data breach, which can cause huge financial losses, legal repercussions, regulatory fines and reputational damage. Soon, however, the EU General Data Protection Regulation (GDPR) is going to up the ante even further.
[easy-tweet tweet=”Shadow IT in the cloud, and out of it, puts organisations at risk of a data breach” hashtags=”tech, cloud, data”]
The EU GDPR will require organisations to demonstrate they have controls and procedures in place to ensure personal data is protected ‘by design’ as well as demonstrating that data is not being retained longer than required. In addition, the new legislation will require businesses to hire a Data Protection Officer (DPO), who is responsible for reducing risk, ensuring compliance, responding to requests for access, reporting data breaches and creating sound data security policies.
Data security regulations do already exist worldwide, such as Principle 8 of the UK Data Protection Act which states: “Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.” The EU GDPR’s aim, however, is to unify all current European guidelines and to force organisations to really start taking data protection seriously. If organisations do not comply with the EU GDPR, they risk being subject to an administrative fine of up to €20 million, or 4 percent of their global turnover. Whilst this may seem harsh, anyone from Ashley Madison, TalkTalk and Yahoo will tell you that a data breach is much, much worse.
What is the solution?
Companies trying to protect themselves from data breaches caused by shadow IT firstly should identify where all of their data resides – in-house, in the data centre, or in the cloud. From there, organizations need to monitor if, where and why to shadow IT is occurring. It really is crucial that the IT department takes an active role in identifying which cloud services are being used within their organisations, both legitimately and covertly, by employees working autonomously to IT. When it comes to shadow IT, a lot of this boils down to the IT department taking responsibility for educating their organisations’ employees about what sorts of activity can put corporate data, and the overall operating system, at risk.
Organisations should also monitor if employees are installing their own WiFi hotspots onto the office’s network. If the WiFi hotspot isn’t secure, it could result in a cyber-criminal hacking into the corporate networks. It’s also important to monitor the network for known and unknown devices. These are all common occurrences, but many organizations just don’t know it’s happening because they don’t think to look.
[easy-tweet tweet=”It’s really important to establish guidelines for how data should be managed by cloud providers” hashtags=”cloud, tech, data”]
In order to monitor and reduce the occurrence of shadow IT, it’s really important to establish guidelines for how data should be managed by cloud providers, conduct frequent and unscheduled audits of each cloud provider, and assess the security of data stored in the cloud – be it in a private, public or hybrid environment. Organisations must be diligent in knowing where their data is being stored, how it’s being protected and when it needs to be removed.
Following these steps, and complying with the rest of the measures dictated by the EU GDPR, will go a long way in protecting organisations from shadow IT, data breaches and a hefty fine when compliance with EU GDPR is required as of May 25, 2018
Richard Stiennon, Chief Strategy Officer,Blancco Technology Group
Richard Stiennon joined Blancco Technology Group as Chief Strategy Officer in July 2016. In this role, he leads long-term strategic planning, product positioning, public affairs, analyst relations, joint ventures and industry partnerships. Many in the industry recognize him from his days as Vice President of Research at Gartner Inc. from 2000 to 2004, where his forward-thinking insights and questioning of the corporate status quo earned him Gartner’s Thought Leadership Award in 2003. He has also written three thought-provoking books on the alarming state of cyber war and its impact on businesses, with his most recent book, There Will Be Cyberwar, being named a Washington Post bestseller in April 2016. Considered to be one of the most prolific security thought leaders, he has spoken at over 28 data security conferences across 3 continents and is frequently quoted in news publications, including The Washington Post, New York Times, USA Today, Christian Science Monitor, Dark Reading, to name a few.