There’s an abundance of apps and SaaS solutions readily available these days to make the lives of employees easier and perform many work-related tasks. And the list keeps growing, with the likes of ChatGPT and Gemini paving the way for more AI-driven virtual assistants.
This is all well and good, unless your organization doesn’t sanction the use of the software in question, turning something seemingly innocuous into shadow SaaS — and a security risk. We spoke to John Stringer, head of product at data loss prevention specialist Next DLP, to learn more.
BN: Why do employees overlook the risk of shadow apps?
JS: Often it is simply because many are unaware of the dangers. They genuinely underestimate the consequences of using unauthorized tools, not appreciating the security holes they are inadvertently creating. All the user sees are convenient apps, focusing solely on the immediate benefit of solving a problem quickly with a familiar tool.
Remote working has aggravated the issue too, making employees feel detached from the corporate IT environment. As a result, staff might not be aware of similar approved options provided by IT. Or if the approval process seems slow or cumbersome, they resort to shadow SaaS out of frustration. Some research suggests that over 65 percent of IT professionals are using SaaS tools that their organization has not approved.
Typical gripes are not having enough storage space, difficulty sharing large data files, lack of video conferencing or messaging apps, and poor functionality in development tools. Now there’s also an expectation that GenAI tools should be readily accessible.
To make matters more confusing, the problem differs between organizations. Take, for example, Google Workspace. It could be shadow SaaS for one company, while deployed as a co-working platform for another. Unfortunately, employees may reason that software is safe if they had access to it in a previous job or if another, well-respected firm or supplier deems it secure.
BN: What are the main risks associated with this when left undetected?
JS: Without effective security measures in place to prevent or detect the use of shadow SaaS organizations leave themselves wide open to accidental data loss, deliberate data exfiltration and non-compliance penalties.
Data theft is a major risk. Whether that’s financial information, personal and customer data, passwords, or intellectual property, there’s a vast array of sensitive data that is attractive to cyber criminals or can fall accidentally into the wrong hands. Plus, there are multiple ways that data can find its way out of an organization.
A recent study shows that the most frequent exfiltration route is email at over 40 percent followed by around 25 percent from uploads and approximately 18 percent related to cloud sync directories. The rest is moved with USBs at 8.4 percent, transfer tools (e.g. SCP, FTP), 4.8 percent, and printed materials, 3.3 percent.
BN: What are the tactics that insiders use to cause data leaks?
JS: Email’s universal access makes it by far the most vulnerable channel for data leaks. Sensitive information that’s sent to or from, and stored in, unencrypted personal email accounts, significantly increases the risk of unintended disclosure or malicious exfiltration. It’s an easy target for cybercriminals to hack or for insiders to manipulate.
Browser upload is another common method of moving sensitive data to cloud apps and storage. A malicious employee may know there are controls in place to monitor email traffic and file transfers over the network, but that it is far more challenging for security teams to distinguish between legitimate and malicious browser uploads. Monitoring external sites, such as Pastebin and SourceForge, commonly used by developers to share code and download patches is complex too. Combine this with the use of personal logins and encryption options, and malicious insiders can conceal, move, and store all kinds of valuable data without detection.
Then there’s exfiltration using cloud sync directory on an endpoint that syncs local folders to the cloud e.g. Dropbox or iCloud. In these instances, employees are transferring data to personal online storage services and accounts instead of using a company-approved account. Worryingly in some cases, sync agent misconfiguration means data is synching without users even realizing it is happening. For a malicious insider, transferring data to these services provides handy concealment, especially if other corporate devices are already interacting with the same system.
Add in the use of USBs, transfer tools and printed materials, and you need eyes in the back of your head to stop data leaking out via numerous routes whether it’s deliberate or accidental.
BN: How can organizations efficiently reduce the risk of data exfiltration?
JS: Firstly, security teams need to take stock of the problem and assess the extent of unauthorized app and software usage. By understanding what data is being transferred and which SaaS applications are utilized, consideration can be given to integrating popular apps with internal security protocols. Such a review will also highlight if better communication and training programs are required to encourage the take up of approved tools and explain the serious ramifications of using unauthorized ones.
Organizations should also consider deploying solutions to monitor data exfiltration. Today’s modern platforms offer predefined and custom-built policies along with pseudonymization to detect and mitigate threats without compromising user privacy or allowing bias. User identity is only exposed when necessary, such as during an investigation, and in a tightly controlled manner. These solutions give visibility of hidden insider threats, providing comprehensive insights into the use of all SaaS applications across an ecosystem. They enable security teams to put effective measures in place to protect against data breaches and exposure of information caused by unauthorized application usage.
BN: How can employee education bring the risks of shadow SaaS to light?
JS: It’s important to make shadow SaaS/IT an integral part of security training. Getting staff to feedback on concerns before they become security issues is crucial, including whenever they believe policies, processes and inadequate tools are preventing them from working effectively. A healthy and proactive cyber security culture makes it more likely that staff will report shadow SaaS, as they know their concerns will be taken seriously. Otherwise, individuals will be reluctant to draw attention to problems if they are worried that they or their co-workers will get into trouble or be ignored.
Above all, implement a simple process enterprise-wide for logging and responding to requests. If users don’t feel their needs are being dealt with promptly, they will again be tempted to find their own solutions — and that will re-open the can of worms and encourage others to follow suit.
Image credit: Hans-Joachim Roy/Shutterstock
