As SaaS grows, financial services must rethink their security approach
By Ben Bulpett, Identity Platform Director, EMEA, SailPoint
The financial services industry is facing an increasing number of issues related to the adoption of cloud-based services. The growth of cloud and SaaS has accelerated with the consumerisation of information technology, along with the shift to working from home. Users have become comfortable downloading and using apps and services from the cloud to assist them in their work but often without explicit IT departmental approval. In fact, there are 3 to 4 times more SaaS apps in use at a company than the IT department is aware of, on average. This is known as ‘Shadow IT’ and while it can cause headaches for any industry, financial services are open to the biggest threat.
The data that banks hold on an individual is far more sensitive than other industries. By not getting approval on SaaS, the IT team have no visibility and no understanding of how to properly secure the software. One small security slip-up and consumers can be left with very little. But it’s not just about bad security and the reputational damage that comes with it. Shadow IT can also cause heavy financial loss.
The risks with Shadow IT
Shadow IT takes up a whopping 30 to 40% of overall IT spending for large enterprises, according to Gartner. This means that nearly half your IT budget is being spent on tools that teams and business units are purchasing (and using) without the IT department’s knowledge. A lot of unapproved software and services may duplicate the functionality of approved ones, meaning your company spends money inefficiently. How does this impact overall revenue? While it depends on the industry, on average companies spend 3.28% of their revenue on IT, according to a recent study by Deloitte Insights. Banking and securities firms spend the most (7.16%) and construction companies spend the least (1.51%).
Additionally, Shadow IT comes with a higher risk of security and compliance complications because the tools are not properly vetted. These risks include lack of security, which can lead to data breaches. Your IT team is unable to ensure the security of the software or services and can’t manage them effectively and run updates. Gartner predicts that by 2022, one-third of successful attacks experienced by enterprises will be on their shadow IT resources. If we use Ponemon’s average breach cost of $3.86M and average probability of a breach at 27.2% annually, Shadow IT may be costing you as much as $350,000 per year in breach-related risk costs.
Keeping track of SaaS
Tracking your SaaS footprint goes beyond core enterprise apps and spreadsheets – the reality is that this isn’t complete visibility. It’s a fraction of what’s out there, and the moment that spreadsheet is updated it’s now out of date. This approach is both time-consuming and filled with inaccuracies.
For example, if a finance director, through a cloud file storage app, shared a root-level folder with outside parties, this inadvertently provides access to detailed financial statements that would never be released publicly or shared. Salaries, profit and loss, and more would be unintentionally exposed. In addition, the finance director’s team files, folders, and discussions would be made completely public rather than internal and read-only. This makes financial files and other sensitive information indexable by search engines and the fault lies with the CISO and CIO, rather than the finance director.
Similarly, when a company is unknowingly running multiple duplicate project management apps outside of IT’s purview, spread throughout the company, this creates massive cost overlap and security vulnerabilities. How much sensitive data may have been stored in the other apps? These examples are all too common, and probably true at your own company.
Shining a light using identity security
Organisations can shine a light on Shadow IT and SaaS access risk, and ultimately have greater visibility of the full scope of ungoverned SaaS applications, by using technology such as identity security. This allows them to drive a seamless process from discovery to governance across the entirety of their SaaS app landscape and wrap the right security controls around every newly-discovered SaaS app (and the data within).
Not only does this help companies shut down issues around Shadow IT across the business, by doing so it also enables companies to be able to save hundreds of thousands of pounds each year.
It’s estimated that by 2022, nearly 90% of organisations will rely almost entirely on SaaS apps to run their business. In this new era of working, the only way to fully protect today’s cloud enterprise is by first discovering all of these hidden SaaS applications and then applying the very same identity governance controls that are already in place for the rest of the critical business applications.
There is no room for mistakes. By addressing Shadow IT and SaaS access risk and having deeper visibility of the full scope of ungoverned SaaS applications, the financial services industry can save hundreds of thousands of pounds each year. And most importantly, keep their customers protected.