Every so often, a new risk category emerges, usually driven by a watershed event. Think about the SolarWinds supply chain attack. In research we are announcing today with the Ponemon Institute, we found the next cybersecurity black swan: nonfederated applications. Our research indicates they generate 11 to 15 percent of breaches annually.
What are nonfederated applications?
We define applications as nonfederated if they do not support common identity and security standards such as APIs and SAML. While Shadow IT usually refers to SaaS used without IT and security approval, nonfederated applications, including on-premise, OT, legacy, and cloud, fall across the IT infrastructure and systems spectrum.
A lack of support for security standards makes managing these applications with identity providers impossible. Unfortunately, 44 percent of security and IT professionals say CISOs underestimate the inherent risks of using them. Is it any wonder that security teams spend 47 hours on average per week investigating potential unauthorized access to these applications?
Based on the Ponemon Institute research, the following are five key findings that show why nonfederated applications will be the next significant threat to manage in cybersecurity:
Elevated cybersecurity risks and breach contributions
Fifty-two percent of organizations have experienced cybersecurity incidents caused by nonfederated applications. Sixty-three percent reported a minimum of 4 and more than 5 incidents. These breaches can lead to losing customers and business partners, emphasizing the importance of addressing the security risks associated with nonfederated applications.
Correlating Ponemon's research with the Verizon Data Breach Investigations Report (DBIR) and the IBM Cost of a Breach Report, the percentage of breaches overall caused by nonfederated applications can be estimated to be between 11 to 15 percent.
Ineffectiveness of security policies and access controls
A staggering 69 percent of respondents indicated that their organizations are ineffective in preventing users from disabling multi-factor authentication (MFA). This finding is particularly concerning as MFA is widely considered one of the most effective methods for preventing unauthorized access. Additionally, 63 percent of respondents indicated that their organizations are ineffective in preventing employees from reusing passwords. Password reuse is a significant security risk, as it allows an attacker who obtains a password for one account to access multiple other accounts.
The survey also found that 65 percent of respondents are ineffective in preventing employees from retaining access to critical systems after leaving or changing roles. Retained access is a concerning finding, suggesting that many organizations don't have proper access management processes for nonfederated applications. Employees or contractors retaining access to these systems after leaving or changing roles increases the likelihood of a security incident.
Lack of visibility and accurate inventory management
The lack of visibility and accurate inventory of nonfederated applications is a significant challenge for organizations, with 38 percent of respondents indicating that they don't have a precise list of nonfederated applications and a similar percentage indicating that the lack of visibility makes it difficult to manage these applications. As the adage goes, you can't secure what you don't know about.
The greater risk, however, is that CISOs are flying blind, likely not having these apps in their risk register. Risk registers are vital in building the cybersecurity budget business case and managing risk appropriately. When a risk like nonfederated applications isn’t in your register, it means no budget to remediate and likely no compensating controls. Our research confirms that both are true.
Hidden costs and productivity losses
Nonfederated applications negatively impact the bottom line due to manual work. An average of 8 people are involved in the provisioning and deprovisioning process in addition to their other responsibilities. The total annual staff cost is $648,000, with a significant portion allocated to the time-consuming manual work of provisioning and deprovisioning, which could be better utilized elsewhere.
From a loss of productivity perspective, organizations spend an average of 7 hours provisioning access for new employees and 8 hours deprovisioning access for outgoing employees. Notice the delta between onboarding and offboarding. For example, when Jenny starts the job, she may begin with a standard set of applications, but by the time she leaves, that list will have grown, and it will take longer to offboard. Business units are bearing the brunt of this costly, manual work, with 63 percent saying IT does not manage access centrally.
Ramifications? Access management work is being done by business units that are likely not trained in security best practices, nor is it likely the highest and best use of their time.
Industry-specific impacts
Financial services were the most represented industry in the survey, with 18 percent of respondents coming from this sector. The health and pharmaceutical industry was also well-represented, at 11 percent of respondents. Both of these industries are known to be prime targets of attackers. According to IBM's 2022 Cost of a Data Breach Report, the healthcare industry experienced the highest average cost per data breach at $10.10 million.
Nonfederated applications are a significant and under-the-radar cybersecurity risk, contributing to many security incidents and breaches. They also create operational challenges and increase IT complexity and costs. CISOs and CIOs can proactively address potential security risks by exploring strategies that identify nonfederated applications and facilitate integration with their identity providers. Download our full report to stay ahead of the curve and secure your company.