Shadow IT is the use of hardware, software or cloud-based services by an employee for work purposes, without the authorization or knowledge of the IT department. Most of the time, shadow IT is implemented without ill-intent and with the hope of increasing collaboration and productivity among co-workers. For example, common types of shadow IT include the use of file transfer sites, collaboration platforms, or personal email. What employees don’t realize however, is that they open up their organization to a slew of security risks when using these unverified services and apps. It’s estimated that by the year 2020, one third of successful cyber attacks will be against shadow IT resources.

The use of unauthorized apps and cloud based services has long been a nuisance for IT departments, but now the new GDPR regulations add another layer of risk into the mix. It comes in the form of “unregistered data sources” or data that is unknown to the data controller. Nearly every form of IT, be it hardware or software, manipulates or stores data in some way. If the data controller does not know about this data then the company is not GDPR compliant and faces a possible penalty of €20 million or 4% of annual global turnover – whichever is higher.

The risk is even greater for companies which employ a BYOD strategy for their wireless devices. To be GDPR compliant, companies must be aware of where their data is and how it’s being used, at all times. In addition, data cannot be retained for longer than is absolutely necessary. Monitoring and tracking such flows of data on an employee’s personal device, and ensuring it’s removed appropriately, can be tricky at best. When we add in the “human factor”, risk increases yet again.

“The GDPR stipulates that the data controller must be in control of the data at all times, which can be difficult to ensure if the said controller does not own the device where the data is stored. This does not play well with BYOD policies, as they are inherently risky and, in fact, it is unclear whether such systems in their current form can be considered GDPR compliant at all.”  – The GDPR Insider

Most employees are not malicious, they simply do not realize the consequences of their actions. Take for example, the United Airlines flight attendant who recently posted a photo online. Included in the background, in clear view, was a sheet of paper with the access codes to the cockpit door. Or the recent breach of South Korean cryptocurrency exchange Bithumb, where the data of 30,000 customers was exposed when an employee’s personal home computer was hacked.

Finding all instances of shadow IT, documenting the customer data that resides within it, and developing a system to track such instances is the first step in addressing the problem. The greater challenge is in building a culture that embraces creative solutions and enables employees to bring these ideas to IT, without the expectation that their request will be denied or take several weeks or months to implement. The more open IT departments are to discussion and innovation, the less likely employees will be to use rogue systems in secret.