Shadow IT: will GDPR bridge the gap between perception and reality?

#Security 05.09.2018 2min Last update : 10.25.2020

In early 2017, a study revealed that 39% of company cloud services were ordered without the IT department’s permission. A report published the following year by French IT security experts association CESIN and Symantec showed that trend toward shadow IT only continues to grow. There is also a wide gap between perception and reality when it comes to shadow IT within organizations.

Shadow IT “has developed on the back of free online services that users are signing up for, without thinking about the risks to their company’s wealth of data,” explained Alain Bouillé, head of CESIN.

Generation cloud

We have now entered the age of generation cloud, according to the April 2018 report. “Flexibility, decentralization, and cost optimization are just some of the reasons why the cloud has become so successful.” Symantec also identified more than 22,000 business applications that allow data to be shared.

IT departments estimate that there are between 30 and 40 cloud applications and services used in their company. But in reality, it’s quite a different story. The report revealed that, in fact, an average of 1700 cloud apps are actually used, with the number ranging from 287 to 5945 recognized and unrecognized solutions, depending on the company. “Once you discount official SaaS applications, the number of unrecognized – i.e. shadow – services is still astonishingly high,” the study’s authors note.

Thousands of shadow applications

The report distinguished between usage by user (anonymized) and by web traffic. Although the fact that companies tolerate some usage of social media at work could explain why these feature among the top 10 most popular cloud apps, it does raise questions that Workplace by Facebook appears in the top 10 by user in this category for businesses that have not officially subscribed to it.

Another possible source of data leaks are tools used to share large amounts of data and files, which have been found to be used very extensively. Google Drive came out on top when classed by user, while Evernote came 4th, just ahead of Dropbox. Hightail and WeTransfer ranked 8th and 10th respectively when classed by web traffic. “Some of these services the company will have certainly subscribed to. Others, though, are used without the IT department’s permission,” the report states.

A real threat to company security

There are thousands of applications and services that IT departments don’t know about. Using tools like these represents a risk to data security, confidentiality, and integrity. Shadow IT is a serious threat to a company’s IT system and data. And with the GDPR coming into force, now is the right time to buck the trend. Using shadow IT makes it all the more difficult to comply with the new European legislation.

Could GDPR combat shadow IT?

The whole point of this new EU legislation is to strengthen the protection of personal data. GDPR simply does not allow uncontrolled free SaaS applications to be used. Businesses now need to make sure they comply with the legislation and notify the supervisory authority in the event of data loss or breach. IT departments need to be alerted to any suspicious activity and security incidents.

The new rules require suitable and secure tools to be adopted, especially when it comes to file sharing and collaboration. The only option is to use tools designed specifically for professionals that offer a high level of security. With Oodrive’s file sharing solutions, you can secure your sensitive data. Meeting the most stringent certifications, Oodrive solutions do away with privacy vulnerabilities and guarantee compliance with your company’s security policy – such as secure hosting, audited code, and autonomous data management.