Schatten-IT und die IT-Compliance

Shadow IT refers to IT systems and software products that are used by a company's functional areas alongside the official IT infrastructure and without the knowledge of the IT department. Software-as-a-service products in particular are quick and easy to obtain without involving procurement, data protection/legal, SAM and IT security. In addition, there are also free products. Here, the free versions of messenger services, such as WhatsApp, Signal or Telegram, are especially popular. Furthermore, in product development, engineering tools such as CAD programs are often covered not always by SAM and IT security.

Shadow IT poses a significant risk potential in terms of IT compliance. Below, we take a closer look at potential risks and impacts in the areas of IT security, license compliance and economic efficiency, as well as data protection.

For IT security, the use of shadow IT represents a major risk. Products that are not checked and tracked by the company's IT can serve as a gateway for hackers. The lack of involvement of the IT security department and the resulting lack of knowledge about the use of certain products in the company can lead to serious security incidents, such as a ransomware attack, but also to unwanted data leakage. A good example of the latter here is the use of WeChat, a very popular messenger service in China, which is now also used for news, shopping and payments. In addition to the "standard risks", such as the exploitation of security vulnerabilities by malicious actors, the component of data security also comes into play here. Since WeChat is used in China in particular, the question of data security arises. For example, communications sent by personnel from a Chinese branch office in WeChat could sometimes be read by government agencies that have had backdoors created in the software. WeChat also does not offer end-to-end encryption (E2EE). This makes any information about trade secrets and other internal matters a risk that could result in data exfiltration for the purpose of industrial espionage. The involvement of IT security, which can perform an assessment with subsequent approval or prohibition, is essential for protecting corporate systems from criminal hackers as well as industrial espionage. Appropriate awareness must therefore be ensured within the company, including in international branch offices.

In addition to security aspects, legal and economic risks also play a role in the use of shadow IT. If software licenses and cloud services are procured on a decentralized basis without the involvement of Software Asset Management and IT purchasing, there is a risk that contractual clauses such as the general terms and conditions or open-source license conditions will be accepted unchecked and the licensor will be granted extensive rights unintentionally. Furthermore, decentralized procurement means that license certificates are not documented centrally. The result is increased clarification effort in the event of a software audit, but also a lack of cost transparency, no possibility to bundle volumes or use any unused (free) licenses elsewhere in the company. Typically, the risks are difficult for a layman to grasp in advance. Therefore, central coordination, e.g., via Software Asset Management with the respective experts, is advisable.

Another risk exists when personal data is processed using shadow IT. In principle, all data processing in companies requires an examination to determine whether this includes personal data, which means that the provisions of the General Data Protection Regulation (GDPR) apply. Normally, company's functional areas lack the expertise to assess on the basis of the available documents whether personal data is processed in accordance with the GDPR. If no professional review is carried out in this regard, it cannot be ensured that the data protection principles are complied with. If personal data is not processed lawfully, this can result in significant fines in the worst case. The GDPR allows for fines of up to 4% of annual turnover or €20 million, whichever is greater. In addition, unlawful processing of personal and especially sensitive data jeopardizes the trust of customers and business partners in the company. Therefore, involving data protection officers is important for evaluating any software deployment.

The risks described above can only be adequately managed with appropriate governance. This requires guidelines for IT procurement, IT security and IT use by company's functional areas, supplemented by internal company awareness campaigns. Furthermore, the guidelines must be operationalized by means of suitable processes (e.g. in software portfolio management) and regularly checked by means of appropriate control mechanisms (e.g. internal audits, technical scanning, or similar).

COMPLION is an independent consulting firm with a focus on digital compliance. Our claim is a holistic view of IT Governance, IT Risk and IT Compliance in all aspects of digital transformation. We typically support our clients at the interface between management and IT, including in the areas of IT security, Software Asset Management and data protection. Find out more about our range of services here.

Authors: Felix Baran, Tobias Philipsen, Anne Pinke