Tech Time: How Shadow IT is Putting Credit Unions at Risk

shadowy hand using a smart device depicting digital images of cloud computing and internet access
By Anudeep Parhar

4 minutes

The use of unsanctioned technology in the workplace introduces security weaknesses that must be managed by IT professionals.

With data breaches on the rise, credit unions need updated “shadow IT” policies to prevent hackers from gaining backdoor access to their organization’s—and members’—information.

What Is Shadow IT?

Shadow IT is the use of any information technology within an organization that is not explicitly sanctioned by the IT department. For example, an employee might use a Google Sheet because it’s easier to share and collaborate with others, even though Microsoft Excel is the organization’s approved workplace software. Other common cases of shadow IT include connecting a work laptop to your home network or working from a personal device, like a smartphone or tablet, in the office.

Shadow IT is not inherently bad—it’s often a sign that employees simply want to increase their efficiency, collaboration and productivity at work. According to a recent survey of IT professionals, 95% of respondents believe employees are more productive, engaged and loyal when they’re allowed to use their preferred technologies at work. However, despite good intentions, unauthorized technology use increases the risk of hacks, credential leaks, malware and other breaches. In fact, Gartner predicts that by 2020, shadow IT will be the cause of a third of all enterprise security breaches.

Risks for CUs

While data breaches are alarming in any industry, they’re especially damaging for financial institutions, which deal with sensitive personal and financial information. Unfortunately, data breaches are also more common in the financial services industry. According to PayPal CEO Dan Schulman, the average American business gets attacked about 4 million times a year, whereas financial services providers get attacked over a billion times a year.

It’s not surprising that financial institutions get breached more often than other businesses, since most cyberattacks are committed for monetary gain. Verizon reported in its 2019 Data Breach Investigations Report that 71% of all cyber incidents are financially motivated.

While these statistics refer to financial institutions in general, credit unions should be particularly cautious. Larger banks typically have more money to spend on technology and security, making CUs the easier target, according to Investopedia.

Harnessing New Technology

Simply banning shadow IT might seem like the simplest solution, but it won’t actually solve the core issue. As mentioned above, employees mostly use unapproved technology for good reason. Forbidding its use will frustrate workers, hinder their productivity and negatively impact your organizational culture. Plus, organizations can gain competitive edge by embracing new technology and applications. Credit unions should instead establish protocols that give employees greater control over their work experience while strengthening security and minimizing risk:

1. Protect the cloud. Avoiding the cloud will only set your company behind. While sharing information through external cloud programs can open up a backdoor for hackers, solutions like cloud access security brokers can help. CASBs act as intermediaries between on-premise infrastructure and the cloud, monitoring access and use through single sign-ons, encryption and analytics. That means employees can access your organization’s information securely, both inside and outside the office.

IT departments can establish an internal app store or listing with approved and authenticated cloud applications employees can easily download. When employees want access to a new app, they should be able to make a request that quickly initiates the authentication process.  

2. Implement identity-based security. Two-factor authentication is quickly being replaced by more dynamic identity-based authentication solutions that monitor for irregular behavior. These systems analyze hundreds of risk indicators including suspicious IP addresses, devices and browser plug-ins.

Identity-based security systems use behavioral information to identify the user, understand their intent and block threats in real time. Employees can more seamlessly access and use their preferred technologies without the overly strict and clunky authentication processes characteristic of legacy solutions.

3. Make sure everyone knows the rules. This goes for employees and organizational leaders alike. Many employees simply don’t know how much is at stake when they use shadow IT. Credit unions should set up internal messaging and training programs that educate employees on the risks and outline the protocol for requesting access to new technologies.

Likewise, CIOs and upper management must stay informed on new technologies and security solutions. They should conduct industry research, collect employee feedback and network with other security leaders. Most importantly, they must continuously assess data regulations to ensure their organizations are compliant with the most current standards.

Data breaches present a serious threat to every business, but adaptive security solutions can reduce risks by protecting data flow and managing identification processes. Remember: The most successful financial institutions empower their employees to work, collaborate and innovate better through cloud-based communication and productivity tools rather than prohibiting their use.

Anudeep Parhar is the chief information officer at Entrust Datacard, Minneapolis. He joined Entrust Datacard in 2016 to lead the company’s rapid expansion to the cloud for all facets of the business. His vision and leadership is vital to transforming the company’s technology operations for colleagues and customers and increasing the digital security posture. Parhar joined the company from Bloom Health where he served as chief technology officer. He previously held executive level IT and technology roles at Digital River, Blue Cross and Blue Shield of Minnesota and Thomson Reuters West.

Compass Subscription