The Dangers of Shadow IT: Risks of Implementing SaaS without your MSP
June 16, 2023
In my day-to-day experiences, I have found that the average small business system user's Cybersecurity hygiene leaves much to be desired. Moreover, there is often a lack of motivation to improve it.
Regrettably, their employers aren't always more diligent. There seems to be a pervasive underestimation of the risks asSOCiated with SaaS applications that users deem as straightforward as their domain registration account, website access, or QuickBooks administrator accounts. However, the reality is that these seemingly innocuous applications, if compromised, could serve as conduits for threat actors to inflict substantial damage to a small business. Today's vast array of applications only amplifies this potential threat, ensuring robust cybersecurity practices are more critical than ever.
Enter the Shadow IT person, aka the Insider Threat. Shadow IT is the use of IT resources by employees without the knowledge or approval of the IT department. This typically involves implementing the latest and greatest "Cloud Toys," cloud-based software-as-a-service (SaaS) applications. While these tools can increase productivity and efficiency, they can also pose serious cybersecurity risks when implemented without proper security controls which are put in place by your MSP or internal IT department.
Imagine the damage a bad actor could do if they were to gain access to your small business Marketing SaaS platform, such as Constant Contact, which provides email marketing, social media marketing, or even your company's website builder applications. There have been many examples of threat actors gaining access to improperly secured Constant Contact accounts. One significant security incident 2021 involved the SolarWinds hackers, also known as Nobelium or APT29. This group, believed to be associated with the Russian state, used the Constant Contact email service to launch a widespread Phishing attack.
They targeted around 3,000 email accounts across over 150 organizations, including government agencies and think tanks. The hackers accessed a legitimate Constant Contact account belonging to USAID (United States Agency for International Development), which they used to send phishing emails. The emails contained a malicious link, which, when clicked, would install a backdoor on the victim's computer, providing the hackers with potential access to sensitive information or the ability to cause disruptions. Read more about the attack in this article by CRN.
A simple oversight like not enabling MFA or sharing a commonly used password can easily lead to potentially catastrophic consequences for your small business.
Average Cost of Data Breaches
One of the most significant risks of Shadow IT is the potential for data breaches. Without proper security controls, sensitive company and customer data can be exposed, leading to potentially catastrophic consequences.
According to the Cost of a Data Breach Report 2022 by IBM and Ponemon Institute, the average data breach cost for small businesses with fewer than 500 employees was $2.98 million in 2022. The average cost per breached record was $164
Compliance Violations
Many industries are subject to strict compliance standards regarding data privacy and security. Unauthorized use of SaaS applications could lead to violations of regulations such as GDPR, HIPAA, or CCPA, resulting in hefty fines and damaged reputations.
Malware Infections
Shadow IT can open the door to malware infections. SaaS applications may be vulnerable to malware that can infiltrate your company's network without proper security vetting, leading to system disruptions and potential data loss.
Vulnerability to Phishing Attacks
Unregulated SaaS applications may not have robust protections against phishing attacks. This can put your employees at risk of falling for scams that could result in the theft of login credentials or other sensitive information.
Loss of Data Control
When data is stored in unapproved SaaS applications, it's harder for organizations to maintain control over that information. This can lead to data sprawl, where sensitive information is distributed across multiple platforms, increasing the chances of a data breach.
Zombie Accounts
When employees leave the company or change roles, their accounts on SaaS platforms may continue to exist with the same access rights. These "zombie accounts" can be exploited by malicious actors to gain unauthorized access to sensitive information.
Necessary Self-Service Steps to Mitigating the Risks
To mitigate these risks, involving your Managed Service Provider (MSP) in deploying all SaaS applications is crucial. An MSP like DCS can help implement the necessary security controls and ensure that any new software meets the company's cybersecurity standards. At DCS, we believe that security isn't just a feature but a foundation.
If you're going to go at it alone, at the very least, consider doing the following:
-
Robust Password Management: All passwords for SaaS applications should be generated and managed through Password Boss. This ensures the creation of strong, unique passwords that greatly enhance security. The sharing of credentials is strictly prohibited. Each individual user should have a unique login.
-
Mandatory Multi-Factor Authentication: All SaaS applications must support and have enabled Multi-Factor Authentication (MFA). MFA adds an additional layer of security by requiring a second form of authentication beyond just the username and password. This should be managed through Password Boss or another password manager, making having MFA enabled on all accounts easier.
- Least Privilege Access: The principle of Least Privilege should be followed, in which users are granted the minimum levels of access – or permissions – needed to complete their job functions. This limits the potential damage in the event of a security breach and reduces the risk of internal misuse of systems.
- SaaS Platform's Security Standards: Consider the vendor's security protocols. This includes their data encryption methods, compliance with industry standards and regulations, and history of handling security breaches. Vendors should have a clear and prompt policy for dealing with security incidents, including informing their customers.
Cybersecurity is a shared responsibility, and these steps will help ensure that our SaaS applications are secure and our data is protected. Always remember: when it comes to cybersecurity, it's better to prevent than to remediate.
Remember, any security strategy is only as strong as its weakest link. Don't let Shadow IT be that weak link in your organization.
Call Now!
