Lurking Shadow I.T. is a Major GDPR Threat

Lurking Shadow I.T. is a major GDPR threat

The concept of shadow IT is an important one and something we’ve talked about here before. The practice of unapproved and often unknown and insecure services and applications being installed and used by staff in the course of their work is a headache.

Now, however, it could become a business-killing issue.

As the enforcement of the new data protection standards (known as GDPR) looms in May, all businesses should be in the process of auditing their data, how it is secured and who has access to it. Failing to do so could result in fines up to four per cent of global turnover, to a maximum of €20m

It’s not a straightforward process to pin down all of a company’s data stores, processes and uses. In fact it’s quite complex and needs to be taken very seriously now.

Unless you can get on top of the instances of shadow IT in your business, you could be on a path to failure in meeting the demands of GDPR.

Shadow IT is anything you don’t control, have access to or, possibly, even know is being used. It’s the stuff that workers installed themselves, perhaps because it made their lives easier and they didn’t see the harm in it.

Shadow IT in the Cloud

Cloud services and messaging apps are particular favourites. You might not use Dropbox for work purposes, but there’s a very good chance you have staff with their own account installed on their smartphone, tablet or computer because it simplified moving files between devices for them, or perhaps even between colleagues (in which case you’ve got an even bigger issue).

WhatsApp is another very popular service which makes sharing files between devices a doddle. But of course you don’t want your data being spread around in there without you having any knowledge or control.

To add complexity, you could have this shadow IT on your company issued devices as well as on workers’ own personal ones, if you don’t have proper protections in place. All of which means you can’t know what data people have and where. That’s a nightmare from a GDPR perspective.

There’s no single answer to this, but you should take all steps possible now to try to mitigate the dangers.

A decision may have to be made on whether staff who currently use their own devices for work purposes should continue to be allowed to do so. Devices (laptops, smartphones, tablets) that you provide can be managed by software that allows you to secure them, prevent actions that you don’t want to happen and wipe lost devices and the data they contain.

They can be prevented from using untrusted wi-fi networks, force strong passwords and the use of encryption and much more. We can do all of this for you.

It’s much harder (nigh on impossible, probably) to get staff to accept such measures on devices they own themselves, so other steps are needed.

Educate on Shadow IT

Company policies are also extremely important. They should spell out very clearly what company data is and how it should and should not be used, stored or shared. This might (probably should) include a blanket ban on using personal devices to access work emails and files.

Education and training are crucial, particularly around GDPR. Everyone should know how important the protection of data is (especially now), what they can and can’t do with and who to ask if they are unsure. If your policy is that data must not reside on personal devices, you must drive this home, along with any consequences for failing to follow the rules.

That’s not to say scare and threaten your staff! This whole process will work much, much better if you bring them along with you and actions are based on understanding and appreciation of the issues.

When some aspects of IT can be complex and daunting to people, the last thing you want to do is scare anyone away from making the most of the possibilities, but the time is definitely now to take this issue of shadow IT by the scruff of the neck and decide how you are going to deal with it.

For IT solutions that will help to meet the demands of GDPR, give us a call.