With GDPR set to go into effect early next year, many companies are working hard to get into compliance. But how is shadow IT, where employees use non-approved applications and services to get their work done without consulting IT or management, likely to cause issues for your company? Thomas Owen, Head of Security at Memset explores.

Shadow IT is the deployment and use of IT systems within an organisation (and often outside of its boundaries) in contravention of IT policy and without the knowledge of teams responsible for corporate IT.  ‘Shadow IT’ has been an industry buzzword for a few years now, growing out of the deperimeterisation of the corporate network and the acceptance of Cloud systems by early adopters within an organisation.  Shadow IT has, quite rightly, been blamed for numerous breaches of security or compliance and is often the bane of many CIOs’ morning to-do lists.  Organisations that lose control of their IT and critical data can find themselves at increased risk from attackers from any point on the threat actor triangle and be facing increasing fines from regulators.

So how is the EU’s General Data Protection Regulation, set to go live May 25, 2018, set to change this risk landscape?  GDPR Article 25 makes reference to the ‘state of the art’ regarding technical security controls and mandates a 72-hour data breach notification requirement that will likely see organisations elevated to the regulator’s notice for even minor or suspected incidents.  The greatest fines, up to 20 million euros or 4% of global turnover will likely be reserved for those organisations that either fail to notify the regulator or commit egregious failings in technical security and procedural compliance.  Shadow IT, where employees could place critical personal data onto poorly protected, unmanaged machines or services outside of the view of the organisation’s audit and compliance processes are perfect candidates for a large breach, notified late, from highly non-compliant services.

[easy-tweet tweet=”Shadow IT is characterised as the result of developers…personnel circumventing corporate policy” hashtags=”Shadow IT, GDPR”]

According to the Data Breach Investigations Report (DBIR) put together by Verizon Enterprise, 25% of the breaches they assessed globally involved an internal actor and ‘most of the incidents are still taking months and years to discover.’ If GDPR is breached due to the use of unmanaged and non-compliant shadow IT, some spectacular fines and PR damage is likely to be coming your way. Regardless of disciplinary outcomes internally, your business will still have taken a body-blow. Shadow IT is often characterised as the result of developers or operations personnel circumventing corporate policy, but it can more positively be described as ‘well-intentioned employees attempting to support business objectives despite poorly managed compliance processes.’ If salespeople are incentivized to hit their targets, operations to ensure a given system is performant and available or developers to increase the rate of release of code, they will naturally seek the tooling that best supports their personal view of what needs to be done.

Shadow IT, particularly when already well established in an organisation, isn’t always attributable to a single person. Where the CFO himself uses a critical pricing spreadsheet that, unbeknown to IT, is hosted on a white box server in an arbitrary cupboard because the approved tools are out of date or difficult to use, doubling down on offenders or bringing out the Compliance Big Stick isn’t going to serve regulatory alignment, users or the business itself.

Much better it to co-opt the most likely offenders, those technically savvy users who most aggressively seek out tools to support their specific goals, into a community within the origination that drives improvement not only in IT systems and tools but in the governance, compliance and risk awareness of the business.  GRC fails every time where it does not intimately involve the most vocal users and early adopters and results in a detriment to business.  Compliance to GDPR is no different, just with a bigger negative outcome at the end of a painful, public breach.

Target the causes of non-compliance, not the symptom, shadow IT stemming from non-business aligned policy and weak internal tooling. While IT departments can restructure systems, tighten security, and re-tool permissions, they have more limited control over end users who ‘go rogue’ and set up their cloud-based services and software solutions. If we accept that our employees are informed and well intentioned, shadow IT suddenly gets reframed as users that are attempting to execute on business objectives in the face of policy and internal IT that doesn’t support the mission. That’s a wider problem than policy compliance alone.

Obviously, if you’ve got a true motivated malicious insider on your hands, you’re highly likely to be included in next year’s breach statistics, whatever you do.

Inventory and systems discovery – Perform automated scans of less well-known network areas. Sit down with users from across the business and hierarchies to discover what tools they use. Are these known? Cloud based? Used by others? What kind of data to they contain or require? This can then inform the basis for a truly comprehensive Privacy Impact Assessment, as well as giving the CIO grist for his budget planning mill.

Educate users, particularly those likely to offend – While it may seem obvious, companies should outline in their policy regarding the use and creation of new tools and systems. Educate everyone through effective training (not another powerpoint in email) and engage specifically with those users likely to offend.  What pain points are they experiencing? Where does policy or existing tooling get in the way of their daily lives? Where their approach is just plain wrong, explain, and where their pain is justified, you have just discovered an ideal stakeholder to assist with correcting your internal issues.

Control access to PII – If your central database or store of personal customer data controls the ability to access and export customer data in a granular fashion, it’s likely that the number of individuals able to deploy particularly damaging shadow IT will be limited, and a limited pool is easier to manage.  Monolithic access, where a user can either get ‘root’ or all permissions or none at all are breeding grounds for serious abuse and security incidents.  Not to mention that appropriate access control is a fundamental part of both good security practice