We have all heard the warnings concerning the widespread use of unauthorized SaaS applications and the potential dangers in terms of security and loss of productivity that come with a laissezfaire attitude toward “shadow SaaS.” Yet even employees who best understand the complications of shadow IT continue to take serious risks. Indeed, the next time your customer shrugs off a pitch for adopting SaaS management tools, let them know that nearly a quarter of 250 security professionals surveyed at both RSA Conference 2024 and Infosecurity Europe 2024 admitted to using unauthorized SaaS applications in the past year. This despite being acutely aware of the associated risks such as data loss, lack of visibility and control, and data breaches. What’s more, one in 10 of these security professionals acknowledged that their organization actually had suffered a data breach or data loss as a direct result of using unauthorized tools, highlighting the real-world consequences of this widespread practice among security professionals. “This statistic is especially striking because it reveals that the very individuals tasked with maintaining an organization’s security are frequently engaging in behavior that they know could compromise that security,” said executives at Next DLP, which commissioned the survey. The research also found that 40 percent of security professionals do not think employees properly understand the data security risks associated with shadow SaaS usage, and a slightly smaller 37 percent of respondents said their companies had developed clear policies and consequences for using these tools. Even less (28 percent) promote approved alternatives to combat usage. Indicating a somewhat dire need for more awareness and education, nearly one-fifth of security professionals, meanwhile, were unaware of whether their company had updated policies or provided training on these risks. Further complicating matters, the decentralized nature of SaaS applications has blurred the lines in terms of where the responsibility lies when it comes to SaaS security, control and decision-making, suggest findings from a separate survey by app security company AppOmni. What was once a centralized affair in which computing infrastructure was hosted on-site with controlled access, the governance of SaaS applications has dispersed across the cloud, different devices and various personas. While at the same time empowering employees and departments across an organization, SaaS self-accessibility also means “each department within large enterprises is increasingly operating as its own tech hub,” warned AppOmni executives. In turn, 50 percent of respondents indicated that, in their organization, the responsibility for securing SaaS rests entirely on the business owner or stakeholder. Only 15 percent of organizations indicated that responsibility for SaaS security is centralized in the organization’s cybersecurity team. The remaining third said it was a shared responsibility between the business user and the cybersecurity team. On the other hand, when things go wrong, the blame is much more concentrated. “When SaaS data breaches occur, stakeholders still look to the chief information security officer (CISO) for answers and solutions. They bear the brunt of the fallout, not the individual business units who’ve adopted and implemented the SaaS apps,” said executives at AppOmni. Surely that will grab the attention of C-suite members who balk at the need to monitor, secure and control shadow SaaS in their organizations. o Nightmare scenarios unfolding due to insufficient SaaS management Lost in the Shadows By Martin Vilaboy How well do you think employees understand the data security risks associated with Shadow SaaS and Shadow AI? Very well 12.6% Somewhat well 42.3% Not very well 33.6% Not at all 5.5% Don’t know 6% Source: Next DLP How confident are you in your organization’s ability to detect employees’ use of Shadow SaaS apps? Very confident 16.7% Confident 29.7 Somewhat confident 29.3 Not very confident 13% Not confident at all 4% Don’t know 7.3% Source: Next DLP AT YOUR SERVICE: XaaS 54 CHANNELVISION | SEPTEMBER - OCTOBER 2024
RkJQdWJsaXNoZXIy NTg4Njc=