The Risks of Shadow IT at Financial Services Firms

Organizations across all vertical markets are dealing with the effects of shadow IT, whether they realize it or not. Shadow IT is technology that is adopted and deployed by individual employees or business units without the knowledge or consent of corporate IT teams. The popularity of SaaS applications and services has specifically enabled shadow IT to grow at an impressive rate, fueled in part by its ease of purchase and deployment. According to a recent survey, 72 percent of executives are unaware of how many shadow applications are in use within their organization.

For financial services firms, the risks of shadow IT are amplified due to the value of the data their organizations possess, and the strict regulatory standards with which they must comply. As the adoption of shadow IT continues to grow, financial services firms have to be aware of the risks associated with it, as well as ways to mitigate its risks without impacting network performance.  

Risks of Shadow IT in Financial Services

The motivations behind the adoption of shadow IT are typically well intentioned. Employees find applications that enable them to do their jobs more efficiently, such as storing and sharing large files that can’t be easily sent via email, and begin using them within the corporate network. However, if IT is unaware that such an application is in use, they are unable to manage it, provide necessary maintenance, or monitor the sorts of data or other resources it may have access to, thereby opening the organization up to substantial risk. Data proves that in the case of financial services this challenge is real. In fact, as a study found that financial services firms use an average of 1,004 cloud services, which is 15 times more than IT estimates.

  • Data Loss and Inconsistent Data

Two of the primary risks associated with shadow IT are data loss and the proliferation of outdated data. When creating a strong cybersecurity program, it is important to know what data you have, and where that data is stored. Shadow IT can make it difficult to determine where data is being stored, as employees might be doing so using applications that IT teams are unaware of. This makes it impossible to ensure that this data is being secured in accordance with organizational and industry standards. Additionally, not only do IT teams not know what data is being stored in these separate applications, the data that is there may not be updated as frequently as data stored in corporate databases. As a result, employees relying on this data run the risk of making business choices based on outdated information, which can put the financial health of the entire organization at risk.

  • Security

Even more alarming, studies show that only 7 percent of SaaS applications meet enterprise security standards. This means that as employees bring applications into the network, most do not include required security measures to provide such things as regular updates, patches, or data encryption. Additionally, when relying on these applications, any unexpected downtime would prevent employees from completing tasks.

  • Compliance

Similarly, the lack of security features in many shadow IT applications put financial services firms at risk for being out of compliance with the many regulatory standards governing the industry, such as GDPR and DFS’ 23 NYCRR 500. Noncompliance can result in huge fines being levied against financial services firms, making compliance a top priority. As IT teams add additional controls to their data processing and storage practices to account for regulations, shadow IT undermines these efforts. Data stored in insecure applications without encryption are at a higher risk of being hacked, with potentially huge consequences. 

Securing Shadow IT

While organizations are actively at work trying to minimize shadow IT, the reality is that it is unlikely that it will ever be fully mitigated. Rather than locking down the network, which would hurt efficiency, financial services organizations need to continue to discourage the use of shadow IT while also looking to add new security controls to the network that are able to see and secure shadow IT. The need is urgent, as Gartner predicts that by 2020 one-third of all successful cyberattacks will be carried out using shadow IT as an entryway. Critical controls are needed to ensure that no data is ever breached as a result of the use of these unknown and invalidated assets.

To effectively battle the risks brought on by shadow IT, financial services firms need to start by employing true next-generation firewalls (NGFWs), along with cloud access security brokers (CASBs), and internal segmentation solutions.

NGFWs provide granular visibility into north-south data movement within the network as well as into the cloud, giving IT teams visibility into who is accessing what data, and to where it is being moved. In addition to improved insight, NGFWs can add multiple layers of security to identify at-risk devices and vulnerable applications entering the network. Deploying internal segmentation alongside NGFWs drives visibility deep into the core of the network, allowing for the active monitoring and protection of data moving laterally across the network. Combined with active security controls, internal segmentation is able to dynamically isolate portions of the network, including unknown applications. Isolating such applications to one area of the network protects the broader network from vulnerabilities, allowing financial services firms curb the risks introduced by shadow IT.

In addition to application protection provided by internal segmentation, NGFWs incorporate our secure SD-WAN solution. Secure SD-WAN ensures efficient performance and robust security within distributed networks. Secure SD-WAN also provides financial institutions with enhanced visibility into the usage of applications, while also prioritizing business critical applications. This is essential to minimizing the potentially harmful impacts of shadow IT, as it gives IT teams visibility into who is using what, and ensures that those usages do not interfere with performance or bandwidth needed to run critical applications.

CASBs are another key to mitigating risks brought on by shadow IT. CASBs allow financial services IT teams to discover every application being used within the network, regardless of where it is housed or how it is being used, and then secures those applications with their own solutions. As a result, CASBs allow employees to take advantage of those solutions that make them more efficient, while ensuring compliance and security on the organization’s terms.

Final Thoughts

Shadow IT continues to pose a serious risk to enterprises, and has proven difficult to control. For financial services firms, this unmanaged IT could have major consequences for security, compliance, and operations. As IT teams look to control this trend, additional security controls that increase asset visibility, such as NGFWs and CASBs, are becoming critically important.


How is your organization handling shadow IT? Let us know on Twitter.


Learn more about Fortinet solutions for financial services.


Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)