In 2022, human error was responsible for 82% of all breaches, reinforcing a lingering problem across the cybersecurity landscape. CISOs can invest in the latest technologies and solutions to secure the perimeter, endpoints, and applications only to have human negligence open the proverbial door for bad actors. Enterprises often see employees as their greatest vulnerability and as being victims of outside threats, but sometimes the latter is not true.
According to Gartner, over 90% of employees who engaged in insecure work actions did so knowing it would increase risk to the organization. This revelation is shocking and dangerous in its own right, but will only worsen as employees are increasingly given — often unknowingly — more freedom over the technologies they use for work. The proliferation of software as a service (SaaS) in organizations effectively democratizes information technology (IT) departments in the same way that social media did for news. In the same survey, Gartner estimates 75% of employees will acquire, modify, or create technology outside IT’s visibility by 2027, up from 41% in 2022.
CISOs have little hope of keeping pace with broadening attack surfaces if they don’t make significant investments in human-centric security technologies that focus on improving real-time employee decision-making.
SaaS sprawl emboldens employees to take tech into their own hands
The rampant growth of SaaS within organizations, or “SaaS Sprawl,” is not a new trend, but its escalating impact on the future of enterprise security cannot be overstated. On average, a single company uses 254 SaaS applications. Due to increased connectivity and use of SaaS/cloud applications, resource-strapped security teams are now responsible for covering a wider attack surface and need a way to maintain visibility and control apps from a central source. However, this is challenging when shadow SaaS accounts for more than half (51%) of the applications in the average portfolio. Security operations cannot secure what they cannot see.
The blocking fallacy
Even when accounting for unsanctioned SaaS that is visible to security operations (SecOps), blocking user access continues to be an ineffective method for improving cyber hygiene. Take, for instance, the banning of ChatGPT by major companies like Apple, Amazon and Samsung. There are many good reasons for this reaction given the obscure IP rights around AI, privacy concerns, and more, but does blocking really achieve the desired outcome? If a security team blocks employees from logging-in using work credentials, they can find ways to leverage a solution outside of the network with the same sensitive data. Restricting access becomes increasingly unrealistic given the growing number of ways to evade protections.
The long-term answer for large companies with enough resources is to build their own in-house AI models to provide the same level of support with none of the external security concerns, but that will take time. Companies can help employees make better decisions now.
Since the birth of browser-based security, the most closely-related discipline to securing SaaS, blocking websites and restricting activities have been the primary methods for thwarting phishing scams and ransomware attacks. However, this drives user frustration because the enterprise is, in some cases, eliminating a preferred action with no explanation as to why and no alternative. Enterprises must begin blocking with an explanation or allowing activities under certain controllable circumstances. In both instances, companies are providing context or a solution.
Using the same aforementioned ChatGPT example, organizations can instead implement just-in-time guidance on user workspaces alerting them of an insecure action and forcing an alternative option that satisfies both security teams and workers. Employees can be directed to select a comparable service that is acceptable, offer different security options within ChatGPT or be told to avoid using specific words or phrases when inputting prompts.
Most emerging SaaS security technology focuses on alerting users of a wrongful action after-the-fact; but this doesn’t solve the problem because it’s unlikely to become a learned behavior. It’s why cybersecurity awareness training continues to be ineffective with only 10% of all employees remembering all of the training when it comes time to use it.
Preemptive alerts accompanied by explanations are also excellent for phishing scams, improving password etiquette, and other areas of cybersecurity outside of just SaaS permissions. If an employee is about to click on a problematic link, intuitive software can stop the action, explain the reason, and suggest an alternative that does not compromise security.
Additionally, it can significantly help with the rampant misuse and reuse of passwords that creates easy targets to infiltrate systems. Even something as simple as reminding employees to use single sign-on (SSO) for all federated SaaS applications helps maintain compliance and allows security teams to improve visibility. Average employees aren’t aware of how important password behaviors are to overall security posture.
With SaaS sprawl continuing to plague organizations, ensuring basic cyber hygiene becomes more important than ever. There is decades of evidence that employees continue to be the weakest link in an organization's security posture, regardless of how advanced cybersecurity technology has become. Moving forward, CISOs need to focus on effective methods to help employees feel a part of the solution instead of trying to remove them as a problem.