The Risks of Shadow IT at Financial Services Firms

Steve Mulhearn

Director of Enhanced Technologies at Fortinet

Views 214

The Risks of Shadow IT at Financial Services Firms

07.06.2018 12:00 pm

Businesses across all verticals are dealing with the fallout from shadow IT, whether they realise it or not. Shadow IT refers to technology which is brought into an organisation by individual employees and business units without the knowledge or consent of corporate IT teams. Fuelled in part by its ease of purchase and deployment, SaaS applications are largely to blame for the impressive growth of Shadow IT. According to a recent survey from the Cloud Security Alliance, 72 percent of executives are unaware of how many shadow applications are in use within their organisation.

For financial services firms, the risks of shadow IT are compounded by the high value of the data within the organisation and the strict regulatory standards with which they must comply.  As the growth of shadow IT is showing no signs of slowing

The motivation to adopt shadow IT is usually well-intentioned. It’s understandable that employees would want to use applications which enable them to do their jobs more efficiently. However, the risk arises when IT doesn’t have visibility of the applications that are in use and are therefore unable to manage it, provide maintenance or monitor the kinds of data or other resources it may have access to. Data proves that in the case of financial services this challenge is real. Data Loss and Inconsistent Data

Two of the main risks that stem from shadow IT are data loss and the proliferation of outdated data. Knowing what data you have and where that data is stored is the foundation of a strong cybersecurity programme. Shadow IT makes it much harder to work out where data is being stored as employees are using apps that IT has no sight of. This makes it harder to ensure that data is being stored in accordance with organisational and industry standards.  In addition to IT not knowing what data is being stored in these separate applications, the data there is most likely not updated as often as the data stored in the corporate databases.  This can mean that employees risk making business choices based on outdated information, which can jeopardise the financial health of the entire organisation. Security

Even more alarming, research from Skyhigh networks shows that only 7 percent of SaaS applications meet enterprise security standards.  Meaning that as employees bring applications into the network, the majority do not include the necessary security measures to provide regular updates, patches or data encryption. Factoring in any unexpected downtime, employees would also be prevented from completing tasks.

  • Compliance 

Likewise, the lack of security features in many shadow IT applications put financial services firms at risk for being out of compliance with the many regulatory standards governing the industry, such as GDPR and DFS’ 23 NYCRR 500. Noncompliance can result in huge fines being levied against financial services firms, making compliance a top priority. Shadow IT undermines the efforts of IT teams who add additional controls to their data processing and storage practices to account for regulations. When data is stored in insecure applications without encryption, it is at a much greater risk of being hacked, with huge consequences.

Securing Shadow IT

Whilst organisations can work to minimise shadow IT, the reality is that it is unlikely that it can ever be fully mitigated. Simply locking down the network would hurt efficiency. Financial organisations must instead continue to discourage the use of shadow IT while also looking to add new security controls to the network which are able to see and secure shadow IT. Gartner predicts that by 2020 one-third of all successful cyberattacks will be carried out using shadow IT as an entryway, making the need to control shadow IT urgent. Critical controls must be implemented to ensure that no data is ever compromised as a result of these unknown and invalidated assets.

To stay ahead of the curve, financial services firms can use next generation firewalls (NGFWs), along with cloud access security brokers (CASBs), and internal segmentation solutions.

NGFWs provide comprehensive visibility into north-south data movement within the network as well as into the cloud, giving IT teams visibility into who is accessing what data, and where it is being moved to. In addition to better insight, NGFWs can add multiple layers of security to identify at-risk devices and vulnerable applications entering the network. Deploying internal segmentation alongside NGFWs drives visibility deep into the core of the network, allowing for the active monitoring and protection of data moving laterally across the network. Combined with active security controls, internal segmentation helps IT teams to dynamically isolate portions of the network, including unknown applications. Isolating such applications to one area of the network protects the wider network from vulnerabilities. This allows financial services firms to curb the risks introduced by shadow IT.

CASBs are  also integral to mitigating risks brought on by shadow IT. CASBs allow financial services IT teams to accurately visualise every application being used within the network, regardless of where it is housed or how it is being used. These applications can then be secured with ITs own solutions. As a result, CASBs allow employees to take advantage of those solutions that make them more efficient, while ensuring compliance and security on the organisation’s terms.

Shadow IT poses a significant risk to organisations and is difficult to control. For financial services firms, this unmanaged IT could have major consequences for security, compliance, and operations. As IT teams look to control this trend, additional security controls that increase asset visibility, such as NGFWs and CASBs, are becoming critically important.


Latest blogs

Paul Sweetingham DXC Technology

Eight Must-haves When Choosing a Cards and Payments Services Provide

There are so many factors to consider when a business starts looking for a cards and payment services provider.  The new kids on the block, fintechs and start-ups, are challenging the norm, bringing technological customer expectations with them – Read more »

Mark Hinds Polymatica

Increasing Data Return on Investment: Why It’s Time to Make the Data Vault More Accessible

As in almost every industry, those in the financial services sector hold swathes of data about every aspect of their organisation. In an ideal world, all departments within a  business should have easy access to this data to help guide intelligent Read more »

Kulpreet Singh UiPath

Accelerating Finance and Accounting Transformation with RPA

Robotic Process Automation has the power to streamline processes, empower staff and increase customer satisfaction says Kulpreet Singh, Managing Director - EMEA, UiPath Data is all around us and finance and accounting departments are well versed in Read more »

Lu Zurawski ACI Worldwide

Lu Zurawski comments on ATM hackers steal $10m across 28 countries in audacious bank heist

ATMs rely on operating systems just like domestic computers, so it is common for ATMs to use versions of Windows or Linux. And just like with home PCs, owners need to keep their systems up to date with the latest releases of security software Read more »

Eran Noam Shield FC

Capturing Communications isn’t Compliance

It is six months since the Markets in Financial Instruments Directive (Mifid II) came in to force and two months since the General Data Protection Regulation (GDPR), which means you are probably feeling the effect of regulation exhaustion. It is Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App