IT Security Pros Reckless with Unauthorized SaaS Use: Report

Despite knowing better, nearly one in four IT security pros admit to using SaaS applications that haven't been approved by their organization.

That data comes from a recent survey of over 250 IT professionals conducted by Next DLP, a provider of data loss prevention and insider risk management solutions. Released this week, the survey polled attendees at two of this year's largest cybersecurity events: May's RSA Conference and June's Infosecurity Europe.

The responses suggest that not enough organizations have established guardrails around their employees' use of unauthorized applications, also known as "shadow IT." The use of shadow IT -- the Next survey specifically focused on shadow SaaS and generative AI applications -- can be problematic for organizations, resulting in data compromise, noncompliance and more.

Among the survey's respondents, 73 percent admitted to using shadow SaaS in the past year. Moreover, one in 10 said their organization had experienced either a data loss or breach because of shadow SaaS.

It's not that IT pros are unaware of the security risks; in fact, most of respondents acknowledged that shadow SaaS creates a high likelihood of data loss (65 percent), lack of visibility and control (62 percent) and data breaches (52 percent).

The problem instead seems to be organizational. Only half of the respondents said their employers had established rules around the use of shadow SaaS within the past six months. One in five said they never had rules at any point, while a similar proportion was simply unaware of what policies or training were in place at their companies regarding the use of shadow SaaS.

This indicates "a need for further awareness and education," said Next.

Non-technical end users also present a concern, according to the survey respondents, 40 percent of whom said employees don't "properly understand the data security risks associated with Shadow SaaS and AI."

However, few of the IT security pros polled have taken the initiative to bridge this knowledge gap. Only 37 percent reported implementing "clear policies and consequences" around the use of shadow SaaS, and only 28 percent have provided their end users with alternatives to unauthorized applications.

"Clearly, there is a disparity between employee confidence in using these unauthorised tools and the organisation's ability to defend against the risks," Chris Denbigh-White, chief security officer at Next. "Security teams should evaluate the extent of Shadow SaaS and AI usage, identify frequently used tools, and provide approved alternatives. This will limit potential risks and ensure confidence is deserved, not misplaced."

The full survey results are available here.

About the Author

Gladys Rama (@GladysRama3) is the editorial director of Converge360.


comments powered by Disqus

Subscribe on YouTube