Last week Twitter co-founder Jack Dorsey announced to the world that he was stepping down as CEO, and naturally he did it in 140 characters or less.
This makes Jack another statistic of what economists are calling the “Great Resignation,” where millions of Americans are deciding to up and leave their employers. No one knows exactly why, one can speculate that the pandemic was the impetus for making a career change, but the fact remains the same that people are changing jobs or leaving the workforce altogether at an alarming rate.
In parallel with the rise in employee departures is not only the growing list of replacement requisitions, but also the already long list of new opportunities that organizations are trying to fill. Keeping up proves to be a challenge for most organizations, especially in the technology and healthcare sectors. The economy is not slowing down, despite the mass exodus that is unfolding.
In a recent blog, we highlighted the security threat that is brought on when employees depart from an organization, and share sensitive files with their personal email accounts.
Let’s now highlight the risk that is introduced by 3rd party vendors.
The 3rd Party Surge
It is well understood that any job function can essentially be outsourced. There are firms both large and small that can provide support for any area of business. One of the best ways for organizations to fill the void in both for the short and long term is to onboard 3rd party vendors.
A Ponemon Institute report from a few years back revealed that the average company works with approximately 583 vendors, this number has likely spiked in response to what’s happening in the market. A more recent report revealed that within the past two years, 53% of organizations have experienced at least one data breach caused by a 3rd party, with breach costing an average of $7.5 million to remediate.
Outsourcing mission critical systems, services, and applications to drive the business forward increases both the scale and complexity of the attack surface. Oftentimes organizations do not enforce the same level of security around their 3rd party vendors as they do with their internal users and entities.
Making matters worse is the fact that the security posture for each individual vendor differs dramatically; the larger firms typically have much stronger security programs in place when compared to firms of a smaller size. Being able to truly understand the full extent of an organization’s 3rd party vendor relationships and the associated risks is an uphill climb, which becomes even more difficult when it comes to quantifying digital risk.
Sure, proper vendor due diligence could help mitigate 3rd party risk but is that really enough? And what happens when 3rd party vendors share sensitive data and files with 4th party vendors? Down the FUD (fear, uncertainty, and doubt) rabbithole we go!
What does this have to do with Software as a Service (SaaS) applications?
Today, Software as a Service (SaaS) applications are a critical business driver for organizations of all sizes and types. Industry analysts estimate that the SaaS market will grow by more than 20 percent annually, reaching nearly $200 billion by 2024, a level that would represent nearly one-third of the overall enterprise-software market.
Providing access to business-critical SaaS apps with 3rd parties is standard best practice to collaborate on projects, or outsource them altogether. But how do you centralize the creation and enforcement of granular data access control policies across the entire SaaS application estate? Each SaaS application has some native built-in functionality to mitigate the risk of data overexposure, but those controls are often too light given the confidential and privileged nature of the content being exchanged between an organization and its 3rd party vendors.
There’s a Better Way
DoControl provides a single security strategy that centralizes the enforcement of least privilege – beyond the identity, network, and device levels – throughout an organization’s entire estate of SaaS applications. Existing SaaS application providers either lack these capabilities altogether or they lack the granularity required to be effective in preventing major breaches and data exfiltration. Relying on the native security capabilities of each individual SaaS application is ineffective and does not provide a consistent way to implement data access controls throughout all SaaS application types.
The DoControl solution ingests SaaS application metadata, adds value to existing security investments by providing business context, and creates automated data access control policies that reduce risk..
It would be a herculean effort to try to manually ensure that vendor access is consistently enforced throughout the modern enterprise. DoControl is the only technology vendor that can address this need and can do it in a way that is both secure and operationally efficient, enabling the IT team to focus on other strategic tasks and projects.
Knowledge is Power
You can’t protect what you don’t know exists. If you lack the insight and visibility across all the different SaaS applications that are being utilized by both internal and external users and entities, then it is extremely challenging to get an accurate assessment or quantification of the risk that you are faced with. Take the first step in uncovering that risk and request a demo of the DoControl solution.
After a demo, a DoControl expert can provide you with remediation strategies that deliver immediate impact and offer workflows to keep your cybersecurity hygiene future proof. Get started today.
This stat comes from the industry report we published earlier this year: The Immense Risk of Unmanaged SaaS Data Access. It’s a great read. We recommend you check it out.
We are excited to announce our expansion of DoControl’s integrated technology partnership program to include Datadog. As a leading platform provider for monitoring and security for cloud applications, the integration with Datadog allows security operations teams to have a more holistic view of risk across the mission-critical Software as a Service (SaaS) applications being leveraged to enable business enablement and productivity.
The last time the RSA Conference was a live, in-person event was right before the world as we knew it came to a screeching halt. Every technology vendor did their best to rollout “virtual” events which were in no way comparable to the real thing. Everyone – including all of us here at DoControl – was missing the “human connection.” As a vendor that was “born out of the pandemic,” we were very excited to (for the first time!) meet face-to-face with prospects, customers, peers, partners and more to talk about all things Software as a Service (SaaS) data security.
When it comes to addressing insider risk, security starts within. Protecting sensitive company data from exfiltration and misuse requires a combination of the right people, process, and technology. Managing insider risk and preventing threats to the business is not achieved with any of these pillars individually. Modern businesses require technology that prevents and detects unauthorized access to critical assets; processes to support automated data access remediation; and people that are educated about – and watchful of – potentially risky activity who can course-correct during potentially risky activity. Modern organizations need all three pillars interconnected in order to protect their most critical assets.