TL;DR - A survey of 250 security professionals revealed that 73% admitted to using unauthorized SaaS applications, despite knowing the risks such as data loss, lack of visibility, and data breaches. Organizations need to implement better visibility, strict access controls, and employee training to manage these risks. ThreatKey provides comprehensive solutions to detect and control Shadow SaaS and manage GenAI usage, ensuring data security and compliance.
In today's digital landscape, the adoption of Generative AI (GenAI) tools is transforming how organizations operate. These technologies offer immense benefits in scalability, efficiency, and innovation. However, they also introduce significant challenges, particularly when employees use unsanctioned applications without the knowledge or oversight of IT departments. This phenomenon, known as Shadow SaaS, along with the emerging risks of GenAI, presents serious data security concerns. To explore these issues, we turn to insights from a recent survey conducted among over 250 security professionals at RSA Conference 2024 and Infosecurity Europe 2024.
Survey Insights
The survey of 253 global security professionals revealed a concerning trend: nearly three-quarters (73%) admitted to using SaaS applications that were not provided by their company’s IT team in the past year. Despite their awareness of the risks, such as data loss (65%), lack of visibility and control (62%), and data breaches (52%), one in ten respondents confirmed that their organization had suffered a data breach or data loss as a result of Shadow SaaS usage.
Moreover, while there is a noticeable laissez-faire attitude towards Shadow SaaS, security professionals are more cautious about GenAI. Half of the respondents indicated that AI use had been restricted to specific job functions, with 16% banning the technology entirely. Additionally, 46% of organizations have implemented tools and policies to control GenAI usage.
Risks Associated with Shadow SaaS and AI
The unauthorized use of SaaS applications and GenAI tools poses several significant risks:
- Data Loss: Sensitive information can be easily leaked or lost when using unsanctioned applications.
- Lack of Visibility and Control: IT departments struggle to monitor and manage data flows in and out of unauthorized tools.
- Data Breaches: The expansion of the attack surface increases the likelihood of breaches, compromising sensitive company data.
Current Practices and Policies
Despite recognizing these risks, many organizations have not fully addressed them. The survey revealed that only 37% of security professionals had developed clear policies and consequences for using unauthorized tools. Even fewer (28%) promoted approved alternatives. Only half had received guidance and updated policies on Shadow SaaS and AI in the past six months, and one in five admitted to never receiving such updates.
Mitigation Strategies
To effectively mitigate the risks associated with Shadow SaaS and AI, organizations need to adopt several key strategies:
- Visibility and Monitoring: Implement tools that provide full visibility into all SaaS applications used within the organization, including unauthorized ones.
- Strict Access Controls: Enforce strict access controls to limit the use of unsanctioned applications.
- Training and Awareness: Develop comprehensive training programs to educate employees about the risks and proper usage of SaaS and AI tools.
- Promoting Approved Alternatives: Encourage the use of approved, secure alternatives to unsanctioned tools.
The survey highlights a critical need for better management and understanding of the risks associated with Shadow SaaS and GenAI. By implementing robust visibility, monitoring, and policy enforcement strategies, organizations can significantly reduce their exposure to these risks. ThreatKey offers a strategic response, providing comprehensive tools to manage and secure SaaS and AI usage effectively.