Back to Blog

The Hidden Risks of Shadow IT: Why Community Banks Need a Detailed System Inventory

By Beth Sumner

July 2, 2024

Get notified on new insights from Finosec now!

Be the first to know about new Finosec blogs to grow your knowledge of the cybersecurity governance industry today!

In the world of community banking, the landscape of information security and cyber risk management has dramatically evolved. Gone are the days when all servers were in-house, and every application installation involved the IT department. Today, it’s easier than ever for a Compliance Officer to sign off on a new software tool to manage Reg DD challenges or for a Loan Officer to adopt a cloud solution to improve customer acceptance rates.

However, with this convenience comes a significant risk. It is impossible to protect information if you do not know it exists. This is where the concept of Shadow IT comes into play—unapproved software and systems used by employees without the knowledge of the IT/IS department. Even with a Vendor Governance policy in place, employees often view small applications as too insignificant to qualify as vendors, leading to gaps in tracking what software has been adopted, who has access to it, and the associated risks.

A typical community financial institution can have between 50-100 applications enterprise-wide. This number can vary depending on the institution’s size and complexity. Some examples of often-overlooked systems we’ve come across include:

  • Marketing Automation Tools: Platforms like Mailchimp or HubSpot are used by marketing teams to manage campaigns and customer interactions.
  • Expense Management Software: Apps like Expensify or Concur are used by employees for managing and submitting expense reports.
  • Project Management Tools: Software such as Asana, Trello, or Monday.com are adopted by teams to track projects and tasks.
  • Survey and Feedback Tools: Services like SurveyMonkey or Typeform are used to gather feedback from customers or employees.
  • Document Signing Services: E-signature tools like DocuSign or Adobe Sign are used for executing contracts and agreements.
  • Social Media Management Tools: Platforms like Hootsuite or Buffer are used to manage and schedule social media posts.
  • Scheduling and Appointment Booking Systems: Tools like Calendly or Acuity Scheduling are used to manage appointments and meetings.
  • Financial Planning and Analysis (FP&A) Tools: Solutions like Adaptive Insights or Planful are used for budgeting, forecasting, and financial analysis.
  • Personal Productivity Apps: Software like Evernote or Notion are used by individual employees to organize their work and notes.

The presence of these “shadow” applications makes it difficult to maintain a comprehensive understanding of your institution’s technology landscape. This is why having a Detailed System Inventory is crucial. At Finosec, we refer to ours as a System Inventory Map. This tool helps to identify all applications in use, determine who has access to each, and assess the risk associated with every system.

Actionable Tips to Track Down Shadow IT

  1. Conduct Regular Audits: Periodically review all systems and applications in use. This can be done through surveys, old-fashioned interviews, and automated tools that scan for unauthorized software.
  2. Implement a Clear Policy: Establish a comprehensive IT policy that requires employees to seek approval before installing any new software. This policy should also include non-installed SaaS software being used for business purposes. Make sure the policy is communicated effectively across the organization.
  3. Use Monitoring Tools: Deploy network monitoring tools to identify unauthorized applications. These tools can detect unusual network traffic patterns that may indicate the use of unsanctioned software, both in-house and Saas.
  4. Foster a Culture of Transparency: Encourage employees to report any new applications they are using. Create a non-punitive environment where the focus is on improving security rather than penalizing individuals.
  5. Centralize Software Procurement: Ensure all software purchases go through a centralized procurement process. This helps maintain a clear record of all applications in use and ensures they meet security and compliance standards.
  6. Regular Training and Awareness: Educate employees about the risks associated with Shadow IT and the importance of adhering to the established IT policies. Regular training sessions can help reinforce this message.
  7. Create an Application Inventory: Maintain a detailed inventory of all approved software applications. This inventory should include information on who uses each application, what data it accesses, and its security and compliance status.
  8. Perform User Access Reviews: Regularly review user access to ensure that only authorized personnel have access to critical systems and data. This helps in identifying and removing any unnecessary access permissions.
  9. Leverage Cloud Access Security Brokers (CASBs): Use CASBs to gain visibility into cloud applications and enforce security policies. CASBs can help monitor and control the use of cloud services within the organization.
  10. Encourage Use of Approved Tools: Provide employees with a list of approved tools that meet security and compliance requirements. Make it easy for them to access and use these tools to reduce the temptation to resort to unauthorized applications.

By implementing these strategies, community banks can significantly reduce the risks associated with Shadow IT and ensure a secure and well-governed technology environment.

As the community banking environment grows increasingly complex with the adoption of diverse applications, understanding and managing these systems is paramount. A detailed System Inventory Map, coupled with regular user access reviews, can help community banks protect their information assets effectively, ensuring both security and compliance.

By taking these actionable steps, you can mitigate the risks associated with Shadow IT and foster a secure, well-governed technology environment within your institution.

More from Finosec

Why You Need to Know Every System for Every Employee

Why You Need to Know Every System for Every Employee

Are you confident that your bank has clear and thorough visibility to every employee’s physical and digital access to systems? If you’re like most banks we work with, the answer to this question is “no”. There are many challenges that make tracking employee access...

My Epiphany of AI During a Session With My Therapist

My Epiphany of AI During a Session With My Therapist

For over a year now, every Tuesday, the Finosec team has been holding a meeting to discuss how we are leveraging AI personally, at work, and in our platform. These weekly meetings have consistently focused on sharing the impact of AI for each of us personally and the...

Integrating FFIEC Authentication Guidance: A Blueprint for Your Next Exam With Insights from Recent Regulatory Actions

Integrating FFIEC Authentication Guidance: A Blueprint for Your Next Exam With Insights from Recent Regulatory Actions

The Federal Financial Institutions Examination Council (FFIEC) Authentication Guidance update in August 2021 has marked a significant step towards enhancing authentication and security access measures within financial institutions. This update expanded upon previous handbooks from 2005 and 2011, emphasizing a broader scope that now includes employees, third-party vendors, and system-to-system communications via APIs.

Talk To An Expert Now
Talk To An Expert Now 770.268.2765