By Ben Bulpett, Identity Platform Director, EMEA, SailPoint
Financial services will always be a target for hackers seeking to gain their hands on lucrative assets. But as the sector continues to digitise, organisations risk increasing the number of entry points for increasingly sophisticated cyber criminals to take advantage.
A growing cause for concern is the rise in ‘Shadow IT’, as the adoption of cloud-based services increases. This is where users download and use apps and services from the cloud to assist them in their work, without consulting or getting approval from IT first. This is a problem which has been exacerbated by the shift to working from home and the new hybrid workplace, with employees working outside the traditional office perimeters and purview of the IT team. In fact, recent research has found there are 3 to 4 times more SaaS apps in use at a company than the IT department is aware of, on average.
Why is this such a headache exactly? By not getting approval on SaaS, the IT team have no visibility and no understanding of how to properly secure the software. All companies face concerns with Shadow IT, but it is financial services that are most at risk due to the huge amount of sensitive data the industry holds on individuals.
One small security slip-up, like an app flying under the radar of IT and subsequently going unprotected, is enough to let the hackers in. This could have huge ramifications, like a breach of consumer’s data including bank account information. Not only could it be hugely damaging to banks’ reputation, but it could also bring heavy financial losses to those in the industry.
Shadow IT, through the seismic shift towards cloud and SaaS, is a huge threat to financial services if it’s not dealt with correctly. So, what do organisations need to consider moving forward?
Lurking in the shadows
Shadow IT makes it difficult to determine where data is stored, and who has access to it, resulting in a lack of control, financial risks, compliance issues and potential data loss and data leaks.
The problem is huge across industries. According to Gartner, Shadow IT is taking up 30-40% of overall IT spending for large enterprises – meaning close to half of IT budgets are being spent on tools that teams and business units are purchasing and using without the IT department’s knowledge.
How might this impact overall revenue? A lot of unapproved software and services may duplicate the functionality of approved ones, meaning your company spends money inefficiently. Research by Deloitte shows that on average companies are spending 3.28% of their revenue on IT. Banking and security firms were found to be spending the most (7.16%), with construction companies spending the least.
Shadow IT apps are inherently less secure than their counterparts because they have not been properly vetted, and therefore fall by the wayside when it comes to an organisation’s security. This dramatically increases the risk of data breaches. Gartner predicts that by 2022, one-third of successful attacks experienced by enterprises will be on their Shadow IT resources. If we use Ponemon’s average breach cost of $3.86M and average probability of a breach at 27.2% annually, Shadow IT may be costing organisations as much as $350,000 per year in breach-related risk costs.
Keeping up with SaaS
So, how can the SaaS footprint be tracked? This goes well beyond core enterprise apps and spreadsheets, which can never achieve full visibility. In fact, it’s a fraction of what’s out there, and the moment that spreadsheet is updated, it’s likely another app will fly under the radar and make it out of date. This approach is both time-consuming and filled with inaccuracies.
For example, if a finance director, through a cloud file storage app, shared a root-level folder with outside parties, this inadvertently provides access to detailed financial statements that would never be released publicly or shared. Salaries, profit and loss, and more would be unintentionally exposed. In addition, the finance director’s team files, folders, and discussions would be made completely public rather than internal and read-only. This makes financial files and other sensitive information indexable by search engines and the fault lies with the CISO and CIO, rather than the finance director.
Another situation is when a company is unknowingly running multiple duplicate project management apps outside of IT’s purview, spread throughout the company. This creates massive cost overlap and security vulnerabilities. How much sensitive data may have been stored in the other apps? These examples are all too common across companies.
Reducing threat through identity security
Overcoming Shadow IT requires organisations to shine a light directly on SaaS access risk. Technology such as identity security can achieve this, identifying ungoverned SaaS apps and then extending the right security controls to ensure only the right people have access to those apps.
Subsequently, this enables the IT team to quickly find and bring SaaS apps under governance, with the visibility and intelligence needed to understand who has access and how that access is being used. They can then remove or alter access that is either excessive or no longer needed.
An identity security-led approach means driving a seamless process from discovery to governance across the entirety of their SaaS app landscape and being able to wrap the right security controls around every newly discovered SaaS app, and the data within. Through this approach, organisations have the tools at their disposal to shut down Shadow IT problems across the business, and save hundreds of thousands of pounds while doing so.
Greater visibility, greater protection
Organisations must ensure they have the right cyber security measures place as they continue to adopt cloud-based services. It is estimated that by 2022, nearly 90% of organisations will rely almost entirely on SaaS apps to run their business. There’s no room for mistakes. As we continue into this new era of working, organisations must prioritise discovering all the hidden SaaS apps and keeping track of them. This can be done by applying the very same identity governance controls that are already in place for the rest of the critical business applications. Deeper visibility into the full scope of ungoverned SaaS applications means identifying vulnerabilities and keeping the perimeters protected from hackers.
By capitalising on the benefits of identity security, financial organisations can ensure the proper protection of data needed to keep customers protected. It also means saving huge amounts of money each year – not only from avoiding potential breaches but also improving compliance, optimizing licensing costs and eliminating wasted IT spend.