Don’t Let Shadow IT Put Your Business at Risk

Unsanctioned Business Unit IT Cloud Adoption Increases Risk of Data Breaches and Financial Liabilities.

Even with security and compliance concerns continuing to be inhibitors to cloud adoption by companies, the number of cloud purchases by individual business units is growing.

When business unit IT (BUIT) digital services are not sanctioned by centralized IT, they are often referred to as “shadow IT,” suggesting IT assets that are invisible to the IT department. According to Brian Lowans, principal research analyst at Gartner, these unsanctioned cloud services purchases are driving increased risks of data breaches and financial liabilities.

“Most organizations grossly underestimate the number of shadow IT applications already in use,” says Lowans. “A data breach resulting from any individual BUIT purchase will result in financial liabilities affecting the organization’s bottom line. Liabilities can be very large due to a mix of costs that include notification penalties, auditing processes, loss of customer revenue, brand damage, security remediation and investment, and cyberinsurance.”

Here are three key steps to mitigate risk:

Use Data Security Governance to Balance Local BUIT Growth Objectives Against the Risk of Data Breaches and Financial Liabilities

IT procurement controls are often bypassed, either by classifying Software as a Service (SaaS) or Business Process as a Service (BPaaS) as business services or by purchasing subscriptions below authorization thresholds via app stores or online. CIOs and CISOs must ensure data security governance is applied appropriately and proportionally to each business unit. BUIT purchasing should enable flexibility, innovation and growth of competitive advantage, but not at the expense of security.

While many clouds can be shown to have good security, the data access risks and threats posed by users and administrators must be addressed.

Deploy Shadow IT Discovery and Data Protection Tools to Enable the Safe Selection, Deployment and Notification of Unauthorized Cloud Services

While many clouds can be shown to have good security, the data access risks and threats posed by users and administrators must be addressed. If left unchecked, the adoption of SaaS or BPaaS applications by business units, or even by individuals, raises the risks of accidental or malicious posting of sensitive data.

Shadow IT discovery tools are available from a number of cloud access security brokers (CASBs) that can automatically scan the organization network infrastructure to detect SaaS and BPaaS applications. These can also provide a security perspective or software asset management perspective.

Are you ready to scale digital business?
View Agenda

Use Data Security Governance to Develop and Orchestrate Consistent Security Policies Across All BUIT for Each Prioritized Dataset

Data security governance must prioritize datasets with the highest risks and establish appropriate security policies and controls. This needs stakeholder input from the business units, IT, risk, compliance, governance and security roles. A balance needs to be struck between the required controls and subsequent loss of functionality in each application.

Orchestration of data security controls must be coordinated and consistent across different clouds and cloud instances. For example, data residency is a critical compliance issue that affects the implementation of data security controls due to the geographic origin, geographic storage locations of each cloud, and the geographic location of staff accessing each dataset.


Gartner clients can learn more in “Unsanctioned Business Unit IT Cloud Adoption Will Increase Financial Liabilities,” by Brian Lowans, et al.

This report is part of the Gartner Special Report “Coming to Terms with Business Unit IT to Prepare for Digital Business,” a collection of research focused on not letting the problem of business unit IT hinder the changes needed to harness the power of digital.

Read complimentary research: Five Golden Rules for Creating Effective Security Policy.

Watch the webinar: The New Risks of Digital Business.


Get Smarter

Cloud Computing Primer for 2017

Cloud has evolved from a disruption to an expected approach to traditional as well as next-generation IT. Our research helps IT leaders,...

Read Free Research

The Need for Speed: Ensuring Application Performance in the Cloud and Mobile Age

Enterprise networks NOW need to reach a larger and more geographically dispersed audience often using mobile devices. As direct control...

Start Watching

Follow #GartnerIO

Learn more at the Gartner Global Infrastructure & Operations Events.

Explore Gartner Events