Third-party risk series: Better the applications you know
In our second post of InfoTrust’s Third-Party Risk blog series, our Cyber Defence Team takes a look at organisations’ interactions with third-party software and applications. Specifically, the concept of Shadow IT, how it can exponentially increase a business’ third-party risk and steps organisations can take to improve security measures in the cloud.
Understanding Shadow IT
“Shadow IT refers to IT devices, software, and services outside the ownership or control of IT organizations.” – Gartner
Shadow IT is not a new concept for most, since its inception many years ago the stance is now that the majority of organisations experience shadow IT and it is inevitable.
As more organisations have migrated to the cloud, the issue of unsanctioned applications and sensitive data residing in unauthorised locations has only increased. On average organisations are using 1,295 applications and cloud services*. It’s estimated now that of these applications, 95%* of them are unmanaged and have been brought in to use within the business from other departments without IT consent or administration.
Most of the time these unsanctioned applications and cloud services have been brought in to the business to improve efficiencies or for collaboration purposes, and therefore the end-users are quite reluctant to stop using them or look at alternatives. Whilst they may improve efficacy, they are not always built with security in mind and this is why it is important for businesses to have an understanding of ALL the applications and services in use within their IT environment.
What’s the risk?
With all third party applications and software, there is a risk that businesses need to analyse, however this risk increases exponentially when IT/Security is not involved to assess whether the apps meet security requirements.
- Potential data loss – whether this is malicious due to an attacker being able to access the third party application, or accidental from not having an effective backup or recovery strategy in place. This can lead to some serious consequences if the information is business-critical.
- Increased risk of data breaches – vulnerabilities that may not be managed correctly, insufficient security controls set up for identity and privileged access, all open up your business to risk. Your end-users may also be connecting third-party services to your sanctioned apps, potentially creating a backdoor for attackers and increasing risk.
- Inefficiencies and expense – the application chosen may actually be less efficient than others available, but without thorough testing from IT your end-users may not know this. There is also potential unnecessary expense from your end-users purchasing additional services when your business may already have an application in place that is able to deliver the same outcome.
Allow don’t block
For many businesses their first thought might be to block the use of unsanctioned applications, this would make your IT infrastructure secure right? But there are a few things that should be considered before you press the block button.
Legacy security solutions such as firewalls and secure web gateways (SWGs) were not created with the modern workforce in mind. More than 50% of cloud usage* now takes place with end-users outside of the traditional perimeter, via mobile and remote access. Traditional security tools were not built with this in mind and often will not be able to pick up those unsanctioned apps being used beyond the traditional business perimeter.
Additionally, blocking an application or software can result in end-users finding an alternative option. Thus bringing you back to square one and not resolving the issue. By allowing your workforce to use their key third party applications, after you have reviewed their security controls meet your business standards, means that you can enable your end-users productivity and ability to work effectively.
Enabling your workforce
Next-generation cloud security solutions provide the ability for end-users to utilise their preferred third-party apps and cloud services, without the business compromising on security controls.
- Understanding the size of your shadow IT – by utilising a Cloud Access Security Broker (CASB) technology you are able to gain insight into what applications are being used, and how they are being used by the business. A good CASB platform will also be able to provide information on data movement as well as a comprehensive risk dashboard of those apps.
- Choose your apps wisely – once you have a full understanding of the situation you are then able to go about identifying where risks to your business lie and choosing the correct applications that meet your security requirements, as well as other business needs. Organisations can also consolidate redundant technologies, creating efficiencies and savings.
- Enable more sophisticated security controls – further data loss prevention and security policies can be created to ensure applications and their users are compliant with security standards.
InfoTrust partners with Netskope, who provide a Next Generation CASB solution. This solution enables businesses to allow the use of unsanctioned, but permitted, apps whilst remaining secure. Netskope gives full control of SaaS, IaaS and web from one cloud-native that is scalable and provides advanced threat protection, and 360 data protection through award-winning DLP and encryption.
To find out more about how InfoTrust and Netskope can help your organisation secure your third-party apps and cloud services contact us today.
*Netskope – Shift your Web Security to the Cloud, for the Cloud White Paper
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help