When employees work in an office setting, they operate under a certain number of protections. There is likely a secure network connection, up-to-date software defenses, and a team in charge of monitoring threats and educating employees on risky behavior. The shielding of company (and even more importantly, customer) data is of utmost importance. Even in this setting, the number of employees who admit to using unauthorized apps, devices, or other technologies is approximately 40% at any given time. Nearly half of all employees are engaging in risky behavior. And that's just when they're in the office.
Now, with the influx of people working from home and operating outside normal, secure on-premises parameters, the likelihood of experiencing cybercrime has increased. Some experts predict that by the end of 2020, shadow IT will be responsible for one in three security breaches. An increasing concern in the world of shadow IT is the rise of fake SaaS-connect applications. While banning employees from downloading these and other types of apps would undoubtedly reduce the threat, a more effective method probably lies in between no apps and free rein.
Here are four rules and three tools that can help you control this rogue behavior and minimize the risk fake SaaS apps pose to your company.
Rule 1: Openly Allow the Use of Third-Party Apps
To develop structure around the use of these apps, you have to acknowledge they're being used. Banning the practice entirely creates an environment where people refuse to ask for help, especially if something seems amiss. By explicitly recognizing the ongoing use of third-party apps, you can build in mandatory rules that make their usage much safer for the company as a whole.
To create a list of mandates, it's essential to know which apps post the most risk to the organization. Utilizing a third-party software system that can track which apps are downloaded and rank those apps based on assumed risk is recommended.
Rule 2: Generate a List of Approved and Banned Apps
Once you have visibility into the number and types of apps living on the devices throughout your network, you can assess which are compliant with your organization's privacy and security policies. Making a public list of which apps are allowed (and which should be deleted) is an excellent way to encourage the use of safe apps and even introduce your employees to new options that may make them more productive. If there are several "allowed" apps in various categories on the list, it lessens the chances that employees will go off on their own to find a potentially risky solution.
Rule 3: Host Mandatory (Virtual) Cybersecurity Trainings
The most significant risk to your data security is not the fake SaaS apps; it is the people who download them. It only takes one non-compliant person to introduce risk to an entire data set. For this reason, it's imperative that ongoing cybersecurity training is a part of your total protection strategy. These trainings are not just crucial for new employees during the onboarding process. They should be updated and viewed yearly by all employees in the organization. Investing a little in education can reduce the risk of being compromised substantially.
Rule 4: Set Clear Rules Around Sensitive Information Sharing
Leaked sensitive data can create a real issue for both individuals and the greater organization. If an employee has given a risky app access to their email or cloud drive, and there is sensitive data stored in these areas, a bad actor can take control. Confidential information sharing can legally compromise the whole company and generate enormous fines for noncompliance. Setting clear, visible rules around user permissions and sharing platforms can help mitigate your chances of a breach.
Now that the rules are established, how can you monitor adoption across the organization? Consider these three tools, all recommended for minimizing the risks associated with fake apps and Sshadow IT.
An App Audit Solution
Look for a solution that will conduct automatic, ongoing scans of all third-party apps connected to your employees so you can identify risk in real-time. These tools will also inform the list of banned apps noted in rule two. Having the ability to see apps and their risk score all in one place is a great advantage for anyone looking to take better control of unauthorized activity.
A Backup Tool
One of the risks of shadow IT is data loss. If a third-party app or a Web extension is run by a threat actor, it can infect your data with ransomware or delete it. A reliable backup solution is an indispensable part of every organization where data management is a focus. Ransomware risks are higher than ever as cybercriminals turn their attention toward the cloud-based services being used by remote workers. Make sure your data is protected from all sides.
A Ransomware Protection Tool
Ransomware is one of the main risk factors associated with third-party applications. It can seep through unauthorized applications and devices that your employees bring to work every day. Ransomware exploits any vulnerability and can move quickly from device to device and straight into your organization's network. Choose a solution that can stop an attack while it's in progress and flag it immediately. The sooner you're aware of a breach, the more likely you are to save your data.
Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.