Don’t Let Shadow IT Put Your Business at Risk

Unsanctioned Business Unit IT Cloud Adoption Increases Risk of Data Breaches and Financial Liabilities.

Even with security and compliance concerns continuing to be inhibitors to cloud adoption by companies, the number of cloud purchases by individual business units is growing.

When business unit IT (BUIT) digital services are not sanctioned by centralized IT, they are often referred to as “shadow IT,” suggesting IT assets that are invisible to the IT department. According to Brian Lowans, principal research analyst at Gartner, these unsanctioned cloud services purchases are driving increased risks of data breaches and financial liabilities.

“Most organizations grossly underestimate the number of shadow IT applications already in use,” says Lowans. “A data breach resulting from any individual BUIT purchase will result in financial liabilities affecting the organization’s bottom line. Liabilities can be very large due to a mix of costs that include notification penalties, auditing processes, loss of customer revenue, brand damage, security remediation and investment, and cyberinsurance.”

Here are three key steps to mitigate risk:

Use Data Security Governance to Balance Local BUIT Growth Objectives Against the Risk of Data Breaches and Financial Liabilities

IT procurement controls are often bypassed, either by classifying Software as a Service (SaaS) or Business Process as a Service (BPaaS) as business services or by purchasing subscriptions below authorization thresholds via app stores or online. CIOs and CISOs must ensure data security governance is applied appropriately and proportionally to each business unit. BUIT purchasing should enable flexibility, innovation and growth of competitive advantage, but not at the expense of security.

While many clouds can be shown to have good security, the data access risks and threats posed by users and administrators must be addressed.

Deploy Shadow IT Discovery and Data Protection Tools to Enable the Safe Selection, Deployment and Notification of Unauthorized Cloud Services

While many clouds can be shown to have good security, the data access risks and threats posed by users and administrators must be addressed. If left unchecked, the adoption of SaaS or BPaaS applications by business units, or even by individuals, raises the risks of accidental or malicious posting of sensitive data.

Shadow IT discovery tools are available from a number of cloud access security brokers (CASBs) that can automatically scan the organization network infrastructure to detect SaaS and BPaaS applications. These can also provide a security perspective or software asset management perspective.

Gartner IT Infrastructure, Operations & Cloud Strategies Conference

Insights, advice and tools to help IT, infrastructure and cloud leaders achieve their most critical priorities

Learn More

Use Data Security Governance to Develop and Orchestrate Consistent Security Policies Across All BUIT for Each Prioritized Dataset

Data security governance must prioritize datasets with the highest risks and establish appropriate security policies and controls. This needs stakeholder input from the business units, IT, risk, compliance, governance and security roles. A balance needs to be struck between the required controls and subsequent loss of functionality in each application.

Orchestration of data security controls must be coordinated and consistent across different clouds and cloud instances. For example, data residency is a critical compliance issue that affects the implementation of data security controls due to the geographic origin, geographic storage locations of each cloud, and the geographic location of staff accessing each dataset.


Gartner clients can learn more in “Unsanctioned Business Unit IT Cloud Adoption Will Increase Financial Liabilities,” by Brian Lowans, et al.

This report is part of the Gartner Special Report “Coming to Terms with Business Unit IT to Prepare for Digital Business,” a collection of research focused on not letting the problem of business unit IT hinder the changes needed to harness the power of digital.

Read complimentary research: Five Golden Rules for Creating Effective Security Policy.

Watch the webinar: The New Risks of Digital Business.


Get Smarter

Follow #Gartner

Attend a Gartner event

Explore Gartner Conferences

Gartner IT Roadmap for Cybersecurity: A Resilient Strategy

Gartner IT roadmap for cybersecurity based on unbiased research and...

Learn More


Get actionable advice in 60 minutes from the world's most respected experts. Keep pace with the latest issues that impact business.

Start Watching