A recent survey from Next DLP revealed that over the last year, 73% of security professionals have used used “shadow Saas,” or SaaS applications not provided or approved by their IT teams.
Further, even though they are using shadow SaaS, they admitted to being aware of the risks of doing so, with the most commonly named risks being data loss (by 65% of respondents), lack of visibility and control (62%), and data breaches (52%).
Even worse, one in 10 respondents believe that their organization suffered a data breach as a result of them using these unauthorized tools.
Despite not following the rules themselves, security professionals do express concern around other employees in their organizations using unapproved applications.
According to the report, only 37% of security teams have developed clear policies for usage and only 28% promote approved alternatives to those tools.
“Clearly, there is a disparity between employee confidence in using these unauthorised tools and the organisation’s ability to defend against the risks,” said Chris Denbigh-White, chief security officer of Next DLP. “Security teams should evaluate the extent of Shadow SaaS and AI usage, identify frequently used tools, and provide approved alternatives. This will limit potential risks and ensure confidence is deserved, not misplaced.”
Security professionals are also concerned about employees using AI applications. Forty percent of respondents don’t think that employees truly understand the security risks of AI usage or shadow SaaS.
The survey found that half of respondents have restricted AI use to specific job functions, 46% have implemented policies to control the use of AI, and 16% have banned AI completely.
“Security professionals are clearly concerned about the security implications of GenAI and are taking a cautious approach,” said Denbigh-White.
For this survey, Next DLP interviewed 250 security professionals at RSA Conference 2024 and Infosecurity Europe 2024.
You may also like…
Q&A: What the consolidation of the SIEM market means for IT
Q-Day prepping: What businesses can do now to address quantum security risks