Business users are misusing applications, according to report released today – and IT departments are finding it difficult to stop them.
The Ponemon Institute, in conjunction with application monitoring company ObserveIT, surveyed 610 US IT and cybersecurity practitioners to find out how well they were able to monitor employees’ use of software applications. The report found that only 8% of organizations had deployed commercial monitoring solutions for application usage.
Users may abuse applications for negligent or malicious purposes. “There are good people in an organisation that do stupid things,” said report author Larry Ponemon, highlighting some examples of negligent behaviour. “Things like downloading things to a memory stick and losing it or deciding to share your password with a colleague.”
Malicious activity could be more destructive, or designed to deliberately steal data for sale to a competitor, said ObserveIT CEO Paul Brady. “If you have someone who has been given their notice, or who has performance issues, then that could be a threat,” he said.
Application users can misuse software in various ways, ranging from viewing, copying, or printing data that is meant to leave the building, through to copying files to the public cloud.
Most respondents (three quarters) said that they could identify and contain the copying of data from applications, but only one in four said they could stop employees copying files to a public cloud app. Around six in every 10 respondents said that they could stop people emailing information outside the workplace, with slightly more saying that they could stop people using thumb drives negligently.
One interesting fact from the report is that far fewer people felt confident in preventing these activities when the applications themselves were cloud-based. Companies still don’t seem to have a grip on managing employee activities using SaaS systems.
Applications that can cause security risks if abused by users are many and varied. Respondents to the survey identified on-site e-commerce and Internet apps as the riskiest (74%), while two thirds said that workforce productivity and management apps represented a risk.
Half of all respondents fingered financial and accounting systems as potential points of abuse. Apps hosted in the cloud ranked pretty much the same in terms of riskiness.
In site of this, more companies are planning to move their applications to the cloud, the report said. Roughly 36% of mission-critical apps are in the cloud today on average, and 46% of them will be located in the cloud within the next 12 months on average, the report said.
Just over half of all organizations said that they were unable to capture the actions taken by users when they are logged into applications, and even those that do monitor application users don’t always do it very well.
Another way to break down users is into privileged users and ‘application users’, said the report. Ponemon and Brady added that while many may think solely of IT users as having privileged access, many higher-level business users do, too.
Typically, regular application users were most responsible for threats caused by negligence (71%), whereas malicious threats were typically caused by privileged users.
Where organizations do monitor their users, over two thirds of them (36%) use manual all ad hoc systems. This might explain why so many companies – 28% – said that it was most difficult to monitor user abuse of applications in the office outside of working hours.
Significantly, a low percentage of organizations that monitored their users focused on application users at all. 17% used a homegrown system that monitors both privileged and application users, while 13% did the same thing with a commercial system.
A third of the people who conducted a compliance audit of their ability to identify and contain application users threats found that they had insufficient governance, monitoring, and control processes. Finally, a quarter fell down on user training and awareness.
