Shadow IT: The Danger of Open Tech Stacks in Banking

Banking, financial services and insurance companies are in danger—and this danger is lurking at employees’ fingertips. Employees, clients and vendors are wooed daily by unvetted third-party apps that promise to make workflows easier—and if financial organizations don’t put a stop to these shadow IT environments, they could pay a hefty price. Let’s dive into what shadow IT environments are, why they happen, why they’re dangerous and how a user-friendly encryption solution helps organizations eradicate them.

What are shadow IT environments?

Shadow IT refers to third-party software your employees use that are outside the control of your IT department and network. They become part of your unofficial tech stack and leave your organization vulnerable to malicious actors. Security professionals consider unapproved third-party software and apps unwelcome additions to an organization’s network—and yet, employees continue to indulge in them.

What causes shadow IT environments?

It’s easy to blame shadow IT environments on negligent, malicious or clueless employees. But organizations in banking, financial services and insurance must be accountable for what goes on in their organizational networks.

Shadow IT environments happen for three main reasons: clunky existing tools, lack of employee education about security and insufficient IT controls to disallow rogue downloads and network access. When your organizational tools aren’t as easy to use as third-party tools, employees find easier ways to get the job done. If you don’t train employees on security threats, they won’t understand how seemingly-innocent behaviour can put the company at risk—and they’ll keep flipping company information through Gmail and using unsecure apps on free WiFi at their favourite coffee shops on work-from-home days. And without sufficient controls, you’ll miss catching aberrant behaviour that slips through even after you put user-friendly, secure options and employee training in place.

Why are shadow IT environments dangerous?

Shadow IT environments are dangerous because they allow company information to leave the security of your network and they can allow nefarious agents access to your secured network. And in many cases, staff don’t realize they put company information at risk. For example, an employee talking to a client on a cell phone might believe it’s safe to send the client some documentation through third party instant messaging apps, like WhatsApp (it’s encrypted, right?), Facebook Messenger, DropBox or their personal Gmail account.

To illustrate the problem with these third-party scenarios, let’s say you have an employee who sends confidential European data from your company through Gmail, for example. As soon as they click ‘Send,’ this sensitive information, which might include sensitive customer data, enters Google servers in the United States and can be re-purposed for other uses, like for third-party ads hosted through AdWords. In this instance, the subsequent lack of control over this sensitive data and its presence in the US can cause problems with the GDPR.

Then there’s malware and privacy backdoors that accompany third-party apps. The AV-TEST Institute, an independent German research institute for IT security, found that malware has almost doubled since 2015.

And according to a paper called 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System, researchers studied 88, 113 Android apps and identified five types of side and covert channels they use to access private data—without permission.

The bottom line is when banking organizations haphazardly allow third party software into their tech stacks, they put client privacy and organizational security at risk.

What can be done to eradicate shadow IT environments?

To eradicate shadow IT environments, organizations must address the issues that cause them by:

  • Replacing cumbersome communication tools with user-friendly solutions that integrate so well into work flows that employees want to use them.
  • Implementing effective and ongoing training for all employees on information security, cybersecurity and data privacy.
  • Putting controls in place to prevent and/or discourage use of unvetted apps and software for company business and on company devices.

 

Echoworx OneWorld is a user-friendly and customer-centric encryption solution that helps banking, financial services and insurance companies secure client communications in transit and at rest. Because it’s so easy to securely transmit information, employees don’t need to search for third-party options that fit into their workflow.

Echoworx OneWorld features that help organizations eradicate shadow IT environments:

  • Easy and frictionless user experience – In a recent Echoworx survey, we found that 53 per cent of organizations with encryption found it “too difficult to use.” An encryption solution can’t protect client and organizational data if nobody uses it! OneWorld makes it easy for employees and customers to use and makes inbound and outbound encryption the path of least resistance.
  • Definable policies – Automatically control which communications get encrypted (and how) based on the message content, subject lines and key words. Flexible controls for every scenario means you stay in control of encrypted messages while they’re in transit and at rest.
  • Enable inbound encryption – While you can’t control what type of information clients and vendors send you via email, you can control how you receive and secure it. Emails with sensitive information are automatically identified, securely routed to the OneWorld web portal and encrypted. Encrypted delivery methods include TLS encryption, encrypted PDFs and attachments, certificate encryption and web portal encryption.
  • No registration process – Encryption solutions that require recipients to register before reading encrypted emails make secure communication cumbersome. OneWorld eliminates the registration process and allows the sender to share a secret phrase—also known as a passphrase—with the recipient. To open the encrypted email, the recipient simply types in the passphrase.

Not only does Echoworx OneWorld help banks eradicate shadow IT environments, it also helps them save money. A recent Forrester Total Economic Impact™ study showed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits and a payback period of only seven months.

By: Brian Au, IT Specialist, Echoworx

YOU SHOULD ALSO SEE