In the world of community banking, the landscape of information security and cyber risk management has dramatically evolved. Gone are the days when all servers were in-house, and every application installation involved the IT department. Today, it’s easier than ever for a Compliance Officer to sign off on a new software tool to manage Reg DD challenges or for a Loan Officer to adopt a cloud solution to improve customer acceptance rates.
However, with this convenience comes a significant risk. It is impossible to protect information if you do not know it exists. This is where the concept of Shadow IT comes into play—unapproved software and systems used by employees without the knowledge of the IT/IS department. Even with a Vendor Governance policy in place, employees often view small applications as too insignificant to qualify as vendors, leading to gaps in tracking what software has been adopted, who has access to it, and the associated risks.
A typical community financial institution can have between 50-100 applications enterprise-wide. This number can vary depending on the institution’s size and complexity. Some examples of often-overlooked systems we’ve come across include:
- Marketing Automation Tools: Platforms like Mailchimp or HubSpot are used by marketing teams to manage campaigns and customer interactions.
- Expense Management Software: Apps like Expensify or Concur are used by employees for managing and submitting expense reports.
- Project Management Tools: Software such as Asana, Trello, or Monday.com are adopted by teams to track projects and tasks.
- Survey and Feedback Tools: Services like SurveyMonkey or Typeform are used to gather feedback from customers or employees.
- Document Signing Services: E-signature tools like DocuSign or Adobe Sign are used for executing contracts and agreements.
- Social Media Management Tools: Platforms like Hootsuite or Buffer are used to manage and schedule social media posts.
- Scheduling and Appointment Booking Systems: Tools like Calendly or Acuity Scheduling are used to manage appointments and meetings.
- Financial Planning and Analysis (FP&A) Tools: Solutions like Adaptive Insights or Planful are used for budgeting, forecasting, and financial analysis.
- Personal Productivity Apps: Software like Evernote or Notion are used by individual employees to organize their work and notes.
The presence of these “shadow” applications makes it difficult to maintain a comprehensive understanding of your institution’s technology landscape. This is why having a Detailed System Inventory is crucial. At Finosec, we refer to ours as a System Inventory Map. This tool helps to identify all applications in use, determine who has access to each, and assess the risk associated with every system.
Actionable Tips to Track Down Shadow IT
- Conduct Regular Audits: Periodically review all systems and applications in use. This can be done through surveys, old-fashioned interviews, and automated tools that scan for unauthorized software.
- Implement a Clear Policy: Establish a comprehensive IT policy that requires employees to seek approval before installing any new software. This policy should also include non-installed SaaS software being used for business purposes. Make sure the policy is communicated effectively across the organization.
- Use Monitoring Tools: Deploy network monitoring tools to identify unauthorized applications. These tools can detect unusual network traffic patterns that may indicate the use of unsanctioned software, both in-house and Saas.
- Foster a Culture of Transparency: Encourage employees to report any new applications they are using. Create a non-punitive environment where the focus is on improving security rather than penalizing individuals.
- Centralize Software Procurement: Ensure all software purchases go through a centralized procurement process. This helps maintain a clear record of all applications in use and ensures they meet security and compliance standards.
- Regular Training and Awareness: Educate employees about the risks associated with Shadow IT and the importance of adhering to the established IT policies. Regular training sessions can help reinforce this message.
- Create an Application Inventory: Maintain a detailed inventory of all approved software applications. This inventory should include information on who uses each application, what data it accesses, and its security and compliance status.
- Perform User Access Reviews: Regularly review user access to ensure that only authorized personnel have access to critical systems and data. This helps in identifying and removing any unnecessary access permissions.
- Leverage Cloud Access Security Brokers (CASBs): Use CASBs to gain visibility into cloud applications and enforce security policies. CASBs can help monitor and control the use of cloud services within the organization.
- Encourage Use of Approved Tools: Provide employees with a list of approved tools that meet security and compliance requirements. Make it easy for them to access and use these tools to reduce the temptation to resort to unauthorized applications.
By implementing these strategies, community banks can significantly reduce the risks associated with Shadow IT and ensure a secure and well-governed technology environment.
As the community banking environment grows increasingly complex with the adoption of diverse applications, understanding and managing these systems is paramount. A detailed System Inventory Map, coupled with regular user access reviews, can help community banks protect their information assets effectively, ensuring both security and compliance.
By taking these actionable steps, you can mitigate the risks associated with Shadow IT and foster a secure, well-governed technology environment within your institution.