Senior IT decision makers say that more cyber risks are being created outside of the IT department’s visibility; yet it remains IT’s responsibility to mitigate these risks, according to the latest survey from SailPoint.
The survey found that organisations need to better define and enforce corporate policies company-wide, addressing risks like shadow IT and bring your own device (BYOD) given today’s increasingly mobile, agile workforce.
Recent sprawling attacks like WannaCry that affected organisations worldwide, as well as direct attacks on organisations of all sizes and in all industries, have demonstrated the significant organisational damage they cause.
In the wake of data breach pandemics at levels seen over the past year, most organisations should take stock of the security controls they currently have in place and work to understand where their exposure points exist, and how to remedy them.
More risks are being created by departments outside of IT’s purview, but it’s still IT’s problem
Over half of respondents (54%) believed that one of the key reasons that non-IT departments introduce the most risk is that they often lack the understanding of what actions and behaviours lead to risk.
Using unsecure mobile devices and adopting unmonitored SaaS applications are two examples of such risky behaviour. While the majority of these risks are being created outside of IT’s view, it is still IT’s responsibility to mitigate the risks associated with them. According to the survey, 7 out of 10 (72%) organisations have embraced BYOD and SaaS application adoption, while only 53% have formal policies in place to protect corporate data.
Organisations need to better outline and enforce corporate policies company-wide
While organisations may create policies to govern access that help secure the enterprise, there is often a disconnect between what is defined as policy and what is actually enforced.
>See also: How to communicate cyber risk to the board
Of the companies that have policies in place, 3 in 10 (36%) said that their users are not following them. With 74% of respondents concerned about BYOD and shadow IT as organisational exposure points, it’s clear that enterprises need to better enforce corporate security policies company-wide.
Identity governance is key to managing risk
More than 6 in 10 (61%) of respondents agreed their organisation’s data would be less exposed if they were better equipped to manage it. And over 6 in 10 (64%) of respondents whose organisation has introduced an identity governance solution believe it will result in a more automated and efficient organisation, while around over half (58%) hope to improve business enablement.
Hybrid IT environments are a reality for today’s enterprise
With cloud adoption accelerating for most enterprises, control over exposure points is needed across the entire IT environment, both on-premises and in the cloud.
Market Pulse Survey respondents confirmed this trend towards the cloud with 34% reporting that they already have a “cloud first” strategy in place, with 45% planning to at some point in the future. And, although many enterprises are moving to the cloud, they still have a variety of legacy applications that will remain on-premises, creating a complex, hybrid IT environment that still needs to be managed and governed holistically.
This is why building a cyber security programme that puts identity at the centre of that strategy is more important than ever for today’s modern enterprise – it gives enterprises that single view into all users’ access to all data and applications, no matter where it resides.
“Our Market Pulse Survey uncovered an interesting ‘identity trilemma’ – multiple departments within an organisation are adopting their own SaaS solutions to appease business users through shadow IT, all while not properly adhering to company security policies,” said Juliette Rizkallah, CMO, SailPoint.
“This is a dangerous combination that creates serious exposure points for companies today. Identity governance is still the key in protecting these points of exposure and mitigating the risks inherent in today’s hybrid IT environment. For enterprises to have full visibility into who has access to what, understanding the ‘who’ in that equation is more important than ever. This is why putting identity at the centre of security strategies is the best approach for defending and protecting today’s modern enterprise.”