The great threat to financial services goes undetected

The great threat to financial services goes undetected

Financial services will always be a target for hackers seeking to gain their hands on lucrative assets. But as the sector continues to digitise, organisations risk increasing the number of entry points for increasingly sophisticated cyber criminals to take advantage.

 

Highlights

  • Why is this such a headache exactly? By not getting approval on SaaS, the IT team have no visibility and no understanding of how to properly secure the software. All companies face concerns with Shadow IT, but it is financial services that are most at risk due to the huge amount of sensitive data the industry holds on individuals.

  • A growing cause for concern is the rise in ‘Shadow IT’, as the adoption of cloud-based services increases. This is where users download and use apps and services from the cloud to assist them in their work, without consulting or getting approval from IT first. This is a problem which has been exacerbated by the shift to working from home and the new hybrid workplace, with employees working outside the traditional office perimeters and purview of the IT team. In fact, recent research has found there are 3 to 4 times more SaaS apps in use at a company than the IT department is aware of, on average.

Shadow IT, through the seismic shift towards cloud and SaaS, is a huge threat to financial services if it’s not dealt with correctly. So, what do organisations need to consider moving forward?

One small security slip-up, like an app flying under the radar of IT and subsequently going unprotected, is enough to let the hackers in. This could have huge ramifications, like a breach of consumer’s data including bank account information. Not only could it be hugely damaging to banks’ reputation, but it could also bring heavy financial losses to those in the industry.

Lurking in the shadows

Shadow IT makes it difficult to determine where data is stored, and who has access to it, resulting in a lack of control, financial risks, compliance issues and potential data loss and data leaks.

The problem is huge across industries. According to Gartner, Shadow IT is taking up 30-40% of overall IT spending for large enterprises – meaning close to half of IT budgets are being spent on tools that teams and business units are purchasing and using without the IT department’s knowledge. How might this impact overall revenue? A lot of unapproved software and services may duplicate the functionality of approved ones, meaning your company spends money inefficiently. Research by Deloitte shows that on average companies are spending 3.28% of their revenue on IT. Banking and security firms were found to be spending the most (7.16%), with construction companies spending the least.

Shadow IT apps are inherently less secure than their counterparts because they have not been properly vetted, and therefore fall by the wayside when it comes to an organisation’s security. This dramatically increases the risk of data breaches. Gartner predicts that by 2022, one-third of successful attacks experienced by enterprises will be on their Shadow IT resources. If we use Ponemon’s average breach cost of $3.86M and average probability of a breach at 27.2% annually, Shadow IT may be costing organisations as much as $350,000 per year in breach-related risk costs. Keeping up with SaaS  

So, how can the SaaS footprint be tracked? This goes well beyond core enterprise apps and spreadsheets, which can never achieve full visibility. In fact, it’s a fraction of what’s out there, and the moment that spreadsheet is updated, it’s likely another app will fly under the radar and make it out of date. This approach is both time-consuming and filled with inaccuracies. For example, if a finance director, through a cloud file storage app, shared a root-level folder with outside parties, this inadvertently provides access to detailed financial statements that would never be released publicly or shared. Salaries, profit and loss, and more would be unintentionally exposed. In addition, the finance director’s team files, folders, and discussions would be made completely public rather than internal and read-only. This makes financial files and other sensitive information indexable by search engines and the fault lies with the CISO and CIO, rather than the finance director.

Overcoming Shadow IT requires organisations to shine a light directly on SaaS access risk. Technology such as identity security can achieve this, identifying ungoverned SaaS apps and then extending the right security controls to ensure only the right people have access to those apps. Subsequently, this enables the IT team to quickly find and bring SaaS apps under governance, with the visibility and intelligence needed to understand who has access and how that access is being used. They can then remove or alter access that is either excessive or no longer needed.

Reducing threat through identity security Another situation is when a company is unknowingly running multiple duplicate project management apps outside of IT’s purview, spread throughout the company. This creates massive cost overlap and security vulnerabilities. How much sensitive data may have been stored in the other apps? These examples are all too common across companies.