Businesses across all verticals are dealing with the fallout from shadow IT, whether they realise it or not. Shadow IT refers to technology which is brought into an organisation by individual employees and business units without the knowledge or consent of corporate IT teams. Fuelled in part by its ease of purchase and deployment, SaaS applications are largely to blame for the impressive growth of Shadow IT. According to a recent survey from the Cloud Security Alliance, 72 percent of executives are unaware of how many shadow applications are in use within their organisation.
For financial services firms, the risks of shadow IT are compounded by the high value of the data within the organisation and the strict regulatory standards with which they must comply. As the growth of shadow IT is showing no signs of slowing
The motivation to adopt shadow IT is usually well-intentioned. It’s understandable that employees would want to use applications which enable them to do their jobs more efficiently. However, the risk arises when IT doesn’t have visibility of the applications that are in use and are therefore unable to manage it, provide maintenance or monitor the kinds of data or other resources it may have access to. Data proves that in the case of financial services this challenge is real. Data Loss and Inconsistent Data
Two of the main risks that stem from shadow IT are data loss and the proliferation of outdated data. Knowing what data you have and where that data is stored is the foundation of a strong cybersecurity programme. Shadow IT makes it much harder to work out where data is being stored as employees are using apps that IT has no sight of. This makes it harder to ensure that data is being stored in accordance with organisational and industry standards. In addition to IT not knowing what data is being stored in these separate applications, the data there is most likely not updated as often as the data stored in the corporate databases. This can mean that employees risk making business choices based on outdated information, which can jeopardise the financial health of the entire organisation. Security
Even more alarming, research from Skyhigh networks shows that only 7 percent of SaaS applications meet enterprise security standards. Meaning that as employees bring applications into the network, the majority do not include the necessary security measures to provide regular updates, patches or data encryption. Factoring in any unexpected downtime, employees would also be prevented from completing tasks.
Likewise, the lack of security features in many shadow IT applications put financial services firms at risk for being out of compliance with the many regulatory standards governing the industry, such as GDPR and DFS’ 23 NYCRR 500. Noncompliance can result in huge fines being levied against financial services firms, making compliance a top priority. Shadow IT undermines the efforts of IT teams who add additional controls to their data processing and storage practices to account for regulations. When data is stored in insecure applications without encryption, it is at a much greater risk of being hacked, with huge consequences.
Securing Shadow IT
Whilst organisations can work to minimise shadow IT, the reality is that it is unlikely that it can ever be fully mitigated. Simply locking down the network would hurt efficiency. Financial organisations must instead continue to discourage the use of shadow IT while also looking to add new security controls to the network which are able to see and secure shadow IT. Gartner predicts that by 2020 one-third of all successful cyberattacks will be carried out using shadow IT as an entryway, making the need to control shadow IT urgent. Critical controls must be implemented to ensure that no data is ever compromised as a result of these unknown and invalidated assets.
To stay ahead of the curve, financial services firms can use next generation firewalls (NGFWs), along with cloud access security brokers (CASBs), and internal segmentation solutions.
NGFWs provide comprehensive visibility into north-south data movement within the network as well as into the cloud, giving IT teams visibility into who is accessing what data, and where it is being moved to. In addition to better insight, NGFWs can add multiple layers of security to identify at-risk devices and vulnerable applications entering the network. Deploying internal segmentation alongside NGFWs drives visibility deep into the core of the network, allowing for the active monitoring and protection of data moving laterally across the network. Combined with active security controls, internal segmentation helps IT teams to dynamically isolate portions of the network, including unknown applications. Isolating such applications to one area of the network protects the wider network from vulnerabilities. This allows financial services firms to curb the risks introduced by shadow IT.
CASBs are also integral to mitigating risks brought on by shadow IT. CASBs allow financial services IT teams to accurately visualise every application being used within the network, regardless of where it is housed or how it is being used. These applications can then be secured with ITs own solutions. As a result, CASBs allow employees to take advantage of those solutions that make them more efficient, while ensuring compliance and security on the organisation’s terms.
Shadow IT poses a significant risk to organisations and is difficult to control. For financial services firms, this unmanaged IT could have major consequences for security, compliance, and operations. As IT teams look to control this trend, additional security controls that increase asset visibility, such as NGFWs and CASBs, are becoming critically important.