How Shadow IT Can Threaten Compliance

In Security by Carolina Curby-LucierLeave a Comment

Shadow IT

In an effort to be more productive and connected, employees are taking it upon themselves to seek technology solutions that fit their workplace needs, and as a result, are inadvertently creating serious challenges for their IT teams. The number of employees bringing personal mobile devices into the workplace and using them as business devices has exploded; the number of people downloading unapproved applications, programs and systems on their work computers continues to grow. This integration of non-sanctioned devices and use of unapproved IT programs, otherwise known as Shadow IT, is causing privacy and security problems for organizations’ IT infrastructures and their ability to satisfy governmental compliance regulations.

An often cited 2015 survey by the Cloud Security Alliance, stated that only 8 percent of companies know the scope of Shadow IT within their organization. Although alarming, it’s not surprising that companies were losing control over their sensitive data.

The Rise of IT Self-Service in the Workplace

Mobile and cloud technology has had a tremendous impact on the personal and professional lives of Americans and their employers. According to the Pew Research Center, 68% of U.S. adults owned a smartphone in 2015, up from 35% in 2011, while tablet computer ownership edged up to 45% among adults. Those numbers continue to climb in 2017. Employees expect to be able to bring and use their personal smartphone, tablet or wearable technology into the workplace. Whether it’s for file sharing, communications, development or storage, employees are adopting non-approved services to better do their jobs.

What is Shadow IT?

Applications or software deployed by business users without the consultation or approval of the IT department are referred to as shadow deployments. The term Shadow IT has come into use as these deployments are not a part of the sanctioned IT infrastructure but are in the shadows. For example, when a group of employees download a new chat service and use it to discuss business matters, or the Marketing Department connects their analytics API to cloud-software without notifying IT, the entire IT infrastructure is undermined. Shadow deployments can lead to unintended consequences, such as loss of private data, compliance violations, and security vulnerabilities.

Shadow Deployments Present Compliance Risks

Shadow deployments are dangerous to businesses of all sizes. The business no longer has complete control of the flow of its data, especially because many rogue deployments occur outside of company firewalls and via the cloud (i.e. Google Docs and Dropbox). Unregulated IT systems and solutions can leave organizations in violation of PCI Data Security Standards, Basel II, and HIPAA compliance measures. Shadow IT can also extend to the use of unregulated software and unlisted licenses, which is considered a safety risk and creates vulnerabilities that trigger security incidents and compliance audits.

Staying On the Right Side of the Law

It is very disconcerting that the use of Shadow IT can subvert federal and state regulations. For instance, the financial sector has to comply with the Sarbanes-Oxley Act of 2002. Sarbanes-Oxley seeks to maintain accuracy and integrity of data presented in financial reports by instituting internal measures that ensure this information is verifiable. These controls are negated if the information isn’t properly set up and regulated within the IT Department of a company.

Businesses that manage protected health information must comply with the Health Insurance Portability and Accountability Act (HIPAA), as mentioned above. Like Sarbanes-Oxley, HIPAA seeks to control and protect the flow of electronic Protected Health Information (ePHI) and keep that information out of the hands of unauthorized users. Many popular apps and software lack the capacity to meet financial or health compliance standards, so seemingly harmless activities, such as accessing Facebook on a smartphone, can get your enterprise in legal hot water.

Preparing for e-Discovery

E-Discovery refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. Imagine your IT department’s confusion when they get a subpoena to turn over all of their information and data from a piece of software they didn’t even know your business was using.

It is difficult to determine the type of service level agreement (SLA) rogue deployments are based upon. When your company is audited, you’re legally required to send certain information within a given amount of time. your SLA states that the information will be given to you, but if for whatever reason you’re unable to gather data, your organization may be subject to legal, financial, and reputational damages. True preparation requires organizations to align IT and Legal, as both parties are subject to produce information during the e-Discovery process.

Defending Against Shadow IT

Independent usage of IT systems and applications will only continue to grow, forcing IT departments to address privacy and security concerns on an ongoing basis. Communication is key to ensure rogue deployments don’t put your company at risk. Your IT department, C-suite executives, and department heads should determine your organization’s technology needs and decide how your risks will be mitigated. It’s vital that you develop a clear, concise company policy on how to notify, purchase, and deploy new technology and determine what level of personal mobile and wearable technology usage your business permits in the workplace.

Additional Resources on This Topic:

Shadow IT: 8 Ways to Cope

Why a Security Team Embraces Shadow IT

CIOs Vastly Underestimate Extent of Shadow IT

Photo Credit: propadanda via Compfight cc

This post was first published on Onramp.


As OnRamp’s Marketing Manager, Carolina leads the content strategy, SEO, product launch, and communication efforts at OnRamp. With experience in managed hosting, cloud computing and VoIP, she translates complex concepts into simple terms that potential customers and partners can understand and use to build compliant IT solutions.

Connect with Carolina Curby-Lucier on LinkedIn

Leave a Comment