Third-party risk series: Better the applications you know

In our second post of InfoTrust’s Third-Party Risk blog series, our Cyber Defence Team takes a look at organisations’ interactions with third-party software and applications. Specifically, the concept of Shadow IT, how it can exponentially increase a business’ third-party risk and steps organisations can take to improve security measures in the cloud.

Understanding Shadow IT 

“Shadow IT refers to IT devices, software, and services outside the ownership or control of IT organizations.” – Gartner 

Shadow IT is not a new concept for most, since its inception many years ago the stance is now that the majority of organisations experience shadow IT and it is inevitable.

As more organisations have migrated to the cloud, the issue of unsanctioned applications and sensitive data residing in unauthorised locations has only increased. On average organisations are using 1,295 applications and cloud services*. It’s estimated now that of these applications, 95%* of them are unmanaged and have been brought in to use within the business from other departments without IT consent or administration.

Most of the time these unsanctioned applications and cloud services have been brought in to the business to improve efficiencies or for collaboration purposes, and therefore the end-users are quite reluctant to stop using them or look at alternatives. Whilst they may improve efficacy, they are not always built with security in mind and this is why it is important for businesses to have an understanding of ALL the applications and services in use within their IT environment.

What’s the risk?

With all third party applications and software, there is a risk that businesses need to analyse, however this risk increases exponentially when IT/Security is not involved to assess whether the apps meet security requirements.

• Potential data loss – whether this is malicious due to an attacker being able to access the third party application, or accidental from not having an effective backup or recovery strategy in place. This can lead to some serious consequences if the information is business-critical.
• Increased risk of data breaches – vulnerabilities that may not be managed correctly, insufficient security controls set up for identity and privileged access, all open up your business to risk. Your end-users may also be connecting third-party services to your sanctioned apps, potentially creating a backdoor for attackers and increasing risk.
• Inefficiencies and expense – the application chosen may actually be less efficient than others available, but without thorough testing from IT your end-users may not know this. There is also potential unnecessary expense from your end-users purchasing additional services when your business may already have an application in place that is able to deliver the same outcome.
   

Allow don’t block

For many businesses their first thought might be to block the use of unsanctioned applications, this would make your IT infrastructure secure right? But there are a few things that should be considered before you press the block button.

Legacy security solutions such as firewalls and secure web gateways (SWGs) were not created with the modern workforce in mind. More than 50% of cloud usage* now takes place with end-users outside of the traditional perimeter, via mobile and remote access. Traditional security tools were not built with this in mind and often will not be able to pick up those unsanctioned apps being used beyond the traditional business perimeter.

Additionally, blocking an application or software can result in end-users finding an alternative option. Thus bringing you back to square one and not resolving the issue. By allowing your workforce to use their key third party applications, after you have reviewed their security controls meet your business standards, means that you can enable your end-users productivity and ability to work effectively.

Enabling your workforce

Next-generation cloud security solutions provide the ability for end-users to utilise their preferred third-party apps and cloud services, without the business compromising on security controls.

• Understanding the size of your shadow IT – by utilising a Cloud Access Security Broker (CASB) technology you are able to gain insight into what applications are being used, and how they are being used by the business. A good CASB platform will also be able to provide information on data movement as well as a comprehensive risk dashboard of those apps.
• Choose your apps wisely – once you have a full understanding of the situation you are then able to go about identifying where risks to your business lie and choosing the correct applications that meet your security requirements, as well as other business needs. Organisations can also consolidate redundant technologies, creating efficiencies and savings.
• Enable more sophisticated security controls – further data loss prevention and security policies can be created to ensure applications and their users are compliant with security standards.
   

InfoTrust partners with Netskope, who provide a Next Generation CASB solution. This solution enables businesses to allow the use of unsanctioned, but permitted, apps whilst remaining secure. Netskope gives full control of SaaS, IaaS and web from one cloud-native that is scalable and provides advanced threat protection, and 360 data protection through award-winning DLP and encryption.

To find out more about how InfoTrust and Netskope can help your organisation secure your third-party apps and cloud services contact us today.

*Netskope – Shift your Web Security to the Cloud, for the Cloud White Paper

Cloud Security

Share