An overwhelming majority of UK CIOs (76%) don’t know how much their organisation is spending on cloud services, according to a new research report released today by Trustmarque, part of Capita. Moreover, employee-driven ‘cloud sprawl’ and ‘Shadow IT’ are posing a significantly increasing risk to businesses’ overall data security.
Increasing use of Shadow IT, whereby employees set up their own means of creating and storing business information - for example, opening their own cloud accounts, without the knowledge of their work IT departments - means UK companies are exposing themselves to possible data breaches and not being compliant with legal, regulatory and contractual obligations. With the impending EU General Data Protection Regulation (GDPR), this could lead to a significant financial impact, with failure to comply carrying penalties of up to €20m or 4% of global annual turnover.
The GDPR, which will come into force in May 2018, will mandate 72-hour breach notifications – something that may be difficult to achieve for companies if IT leaders don’t know exactly where employees are storing and sending business data. The new legislation will have a significant impact on the operations of any firm which collects personal data on any EU resident, regardless of whether it stores that data inside or outside of Europe.
Phil McCoubrey, head of security architecture, Capita, said: “These findings underline the extent to which British organisations must quickly appreciate the magnitude of the potential impact of GDPR. While the regulation clearly sets out that the personal responsibility and therefore accountability lies with managing data control, which is often a job of IT leaders, there is a worrying lack of action being taken by CIOs. If they don’t have basic control over shadow IT, then our concern is they are far off delivering the scale and magnitude of meeting GDPR within just eight months. Threats from employee behaviours have always been a consideration and some organisations may be more prepared than they think if they have adopted the basic principles of the Data Protection Act. For those that haven’t though, there is a lot of work to do.
“However, the GDPR should not solely be viewed as an information security issue, but also a fundamental business and governance challenge. Senior management teams must address this regulatory challenge; the potential financial penalties are significant. Organisations must also consider the impact of the potential reputational damage following a breach, which we have seen with companies such as Talk Talk and Equifax.
“At a time when the amount of data being generated, stored and shared is growing exponentially, UK organisations, in both the public and private sectors, should view GDPR as an opportunity to strengthen data security processes and improve resilience, when it is needed more than ever.”
The third and final report of the Trustmarque CIOs in 2017 series, also found that more than half (54%) of CIOs said they thought the fact that employees can sign up to these cloud services easily has made it difficult for them to know exactly how many subscriptions and services the company ‘owns’, while the majority of IT leaders – 58% - said they were worried that costs could spiral out of control as a result of cloud sprawl.
Furthermore, 86% said cloud sprawl and Shadow IT makes the ongoing management of cloud services a challenge, while almost half of CIOs (45%) argued that providers could do more to warn users about costs they’re incurring when using cloud services.
The research was undertaken by independent market research company, Vanson Bourne; the total sample size was 200 UK CIOs and senior IT decision makers from large enterprises with over 1,000 employees. This third report is available to download. The first report in the CIOs in 2017 series is available to download and the second report is also now available.