The Risks of Shadow IT at Financial Services Firms

Steve Mulhearn

Director of Enhanced Technologies at Fortinet

Views 306

The Risks of Shadow IT at Financial Services Firms

07.06.2018 12:00 pm

Businesses across all verticals are dealing with the fallout from shadow IT, whether they realise it or not. Shadow IT refers to technology which is brought into an organisation by individual employees and business units without the knowledge or consent of corporate IT teams. Fuelled in part by its ease of purchase and deployment, SaaS applications are largely to blame for the impressive growth of Shadow IT. According to a recent survey from the Cloud Security Alliance, 72 percent of executives are unaware of how many shadow applications are in use within their organisation.

For financial services firms, the risks of shadow IT are compounded by the high value of the data within the organisation and the strict regulatory standards with which they must comply.  As the growth of shadow IT is showing no signs of slowing

The motivation to adopt shadow IT is usually well-intentioned. It’s understandable that employees would want to use applications which enable them to do their jobs more efficiently. However, the risk arises when IT doesn’t have visibility of the applications that are in use and are therefore unable to manage it, provide maintenance or monitor the kinds of data or other resources it may have access to. Data proves that in the case of financial services this challenge is real. Data Loss and Inconsistent Data

Two of the main risks that stem from shadow IT are data loss and the proliferation of outdated data. Knowing what data you have and where that data is stored is the foundation of a strong cybersecurity programme. Shadow IT makes it much harder to work out where data is being stored as employees are using apps that IT has no sight of. This makes it harder to ensure that data is being stored in accordance with organisational and industry standards.  In addition to IT not knowing what data is being stored in these separate applications, the data there is most likely not updated as often as the data stored in the corporate databases.  This can mean that employees risk making business choices based on outdated information, which can jeopardise the financial health of the entire organisation. Security

Even more alarming, research from Skyhigh networks shows that only 7 percent of SaaS applications meet enterprise security standards.  Meaning that as employees bring applications into the network, the majority do not include the necessary security measures to provide regular updates, patches or data encryption. Factoring in any unexpected downtime, employees would also be prevented from completing tasks.

  • Compliance 

Likewise, the lack of security features in many shadow IT applications put financial services firms at risk for being out of compliance with the many regulatory standards governing the industry, such as GDPR and DFS’ 23 NYCRR 500. Noncompliance can result in huge fines being levied against financial services firms, making compliance a top priority. Shadow IT undermines the efforts of IT teams who add additional controls to their data processing and storage practices to account for regulations. When data is stored in insecure applications without encryption, it is at a much greater risk of being hacked, with huge consequences.

Securing Shadow IT

Whilst organisations can work to minimise shadow IT, the reality is that it is unlikely that it can ever be fully mitigated. Simply locking down the network would hurt efficiency. Financial organisations must instead continue to discourage the use of shadow IT while also looking to add new security controls to the network which are able to see and secure shadow IT. Gartner predicts that by 2020 one-third of all successful cyberattacks will be carried out using shadow IT as an entryway, making the need to control shadow IT urgent. Critical controls must be implemented to ensure that no data is ever compromised as a result of these unknown and invalidated assets.

To stay ahead of the curve, financial services firms can use next generation firewalls (NGFWs), along with cloud access security brokers (CASBs), and internal segmentation solutions.

NGFWs provide comprehensive visibility into north-south data movement within the network as well as into the cloud, giving IT teams visibility into who is accessing what data, and where it is being moved to. In addition to better insight, NGFWs can add multiple layers of security to identify at-risk devices and vulnerable applications entering the network. Deploying internal segmentation alongside NGFWs drives visibility deep into the core of the network, allowing for the active monitoring and protection of data moving laterally across the network. Combined with active security controls, internal segmentation helps IT teams to dynamically isolate portions of the network, including unknown applications. Isolating such applications to one area of the network protects the wider network from vulnerabilities. This allows financial services firms to curb the risks introduced by shadow IT.

CASBs are  also integral to mitigating risks brought on by shadow IT. CASBs allow financial services IT teams to accurately visualise every application being used within the network, regardless of where it is housed or how it is being used. These applications can then be secured with ITs own solutions. As a result, CASBs allow employees to take advantage of those solutions that make them more efficient, while ensuring compliance and security on the organisation’s terms.

Shadow IT poses a significant risk to organisations and is difficult to control. For financial services firms, this unmanaged IT could have major consequences for security, compliance, and operations. As IT teams look to control this trend, additional security controls that increase asset visibility, such as NGFWs and CASBs, are becoming critically important.


Latest blogs

Noa Benari SecuredTouch

4 Mobile Banking Trojan Families to Fear According to McAfee

Mobile malware is becoming more sophisticated and evasive, making detection challenging. According to the McAfee Labs Threats Report for June 2018, mobile malware grew by 42% since last year. Read more »

Bo Harald ZEF, Transmeri, Demos, Real Time Economy Program

Has anybody calculated the value?

The Finnish Ministry of Finance has set as a target to make Finland the first Real-time Economy in Europe. We are well on the way and now the initiative is bringing in new dimensions. Read more »

Patrick Bermingham Adflex

Invoicing in the IoT: why connections are key to maximising business value

Start-ups and established companies alike are increasingly interested in the industrial internet of things (IIoT), but many are missing a trick when it comes to payments. Businesses face many challenges when designing and implementing their own IoT Read more »

Chris Larsen Ripple

How Can Merchants utilize Blockchain based Payments Technology to expand to new markets and increase revenue?

This statement might be the summary of it all. The world is constantly changing, and with this change, new technologies and approaches are revealed, defining the future business and communications. Global cross-border payments have been the main Read more »

Sabine VanderLinden Startupbootcamp

Who should be responsible for protecting our personal data?

Governments do not have the resources or the speed required to react to cybercrime. In most cases, businesses lack the incentives to focus on this topic. Consumers think they should be responsible for their own safety online, but most do not have Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App