How Shadow IT Affects Governance, Risk Management, and Compliance (GRC) For Organizations

Shadow IT poses a significant challenge from governance, Risk Management, and Compliance (GRC) perspectives, as it is difficult to regulate or control what you don’t know about. 99% of companies allow completely free browsing for all employees, or at least to some departments, because there is an app or a solution for everything out there. As agility, ownership and innovation became the go-to principles of modern organizations any restrictions would be a bad neighbor.

To ensure the organization’s digital security, GRC departments need to monitor employee-created accounts, non-sanctioned applications and invisible business processes.

A few real-life examples of what standards and regulations require:

Inventory

According to both NIST ZTA guidelines and the CIS framework, a detailed inventory of enterprise-owned assets should be established, so that controls can be put in place. And Shadow IT web-applications and passwords are both enterprise-owned, as employees are using enterprise-owned email addresses from their enterprise-owned devices, to conduct enterprise-related business activities. Read our Shadow IT Challenges in the Light of the CIS Security Controls guide.

Privacy

Privacy regulations such as GDPR or CCPA require an inventory of third-party data processors and controllers, as well as meaningful practices to limit access, storage and purpose of data management of customers and employees. Shadow IT web applications pose a significant challenge as they are not populated automatically. If employees share personal data on these sites, there is no oversight for GRC, and also no oversight of what happens to this data after it is shared. What are your suppliers’ policies? Who are their suppliers? Where is the data stored? These all need to be assessed for Shadow IT apps that handle personal or sensitive business data, otherwise a GDPR fine and some ugly headlines may result.

Password Complexity

Passwords are another aspect to consider when your employees create passwords on third-party websites, which you have no visibility over. Whatever complexity, rotation or password strength is required by those applications is going to determine what your users do, and this is completely out of your hands. Check out the AD Password Hygiene use case to know why this is also a great risk from a security perspective.

BCP, DRP, BIA

Business Continuity Plan (BCP), Disaster Recovery Plan (DRP), and Business Impact Analysis (BIA) are all crucial processes of large organizations. When employees need to rely on a web-application for procurement, logistics, HR, or communications, core business functions may be impacted based on the availability and reliability of these services.

Reviewing their policies, reviewing user access to them and laying down alternatives can only be done if the inventory of these applications is available, and managers and employees are well informed about what and why is happening on these applications. These inventories will also help onboarding new team members, providing them with the tools that their predecessors had been using, without disrupting business for sake of new people trying to learn the ropes.

Read our related blog posts: