Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Adam Marre
Adam Marre
Connect Directly
E-Mail vvv

Shadow IT: Every Company's 3 Hidden Security Risks

Companies can squash the proliferation of shadow IT if they listen to employees, create transparent guidelines, and encourage an open discussion about the balance between security and productivity.

Twelve years with the FBI and I was ready for anything: espionage, massive cyberattacks, Tom Clancy-esque zero-day exploits. I saw some of that, of course, but more often I discovered and rediscovered that it's the simple things that most often cause catastrophic problems — simple things that plague every company.

For example, midway through my stint as a dedicated cyber agent, we responded to a data breach at a well-known company. Private information, much of it highly sensitive, had been dumped into a repository on the open Internet. Was it the result of state-sponsored actors? Sophisticated activist groups? A brute-force login attack?

No. An employee had placed sensitive data in a free cloud storage account, and run-of-the-mill data thieves had simply posted it online. Despite the fact that this storage provider had a high-profile breach only months earlier, the employee didn't change the account password. A million-dollar problem could have been avoided with a 60-second password reset. This is a great example of the three risks I see in most companies.

  1. Who: Any employee can collect data. With a credit card and Internet access, any individual member of the staff can run critical company functions with or without permission. Most have good intentions. Some don't.
  2. What: Employees can collect any kind of sensitive data. Customer and company data are sensitive and can be immensely valuable. Without guidance, employees can just as easily collect and store Social Security numbers as coffee preferences. But if the Social Security numbers get hacked, you could be on the hook for millions in recovery costs.
  3. Where: Data are invisible and inaccessible to company managers. In the new GDPR world, data that doesn't live in enterprise-controlled systems is much more difficult to retrieve. Worse yet, data in private accounts follow the owner when she leaves the company. What if she's taking a list of your 100 best clients?

It's no surprise that as many as 80% of employees use unauthorized services. What is surprising is that companies have known about this threat for a very long time, yet they're still failing to address it. According to Gartner, "Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year."

When employees use platforms that have not been screened or authorized by a company's technology and security team, they're wading into what's known as "shadow IT." And shadow IT makes it much easier for hackers to steal your company's data. For example, employees will always try to increase productivity in any way they can. They'll rely on unsanctioned cloud-based file storage, survey software, or messaging apps if those apps will save them a few minutes. But this kind of behavior opens up the holes that can cost a company millions of dollars and priceless consumer trust. A 2017 study by the Ponemon Institute found that the average cost of a breach is $3.62 million. There's nothing productive about that. 

Chat-Room Lurkers
Another true story: During an investigation into a network intrusion at a large company, the network engineering team was using a free chat tool to communicate as they fought to regain control of their network. They had not told anyone about this tool, and they had been using it for months. In fact, it became their primary channel as they chased the attackers in their network. Do you see where this is going?

These engineers hadn't involved their infosec team in vetting the tool, and it was set up insecurely. The attackers had joined the very chat group the engineers were using to try to kick them off, and they were tracking the team's every move. We discovered the intruders only by identifying every person in the chat group and isolating several imposters. After that, we moved quickly to a different communications channel. 

In their rush to be productive, the engineers made the problem worse with a sloppy setup of a free tool. The company spent a lot more time and money remediating the breach, and the data loss was much larger than it could have been. They had to spend millions to inform customers and to provide credit protection for those customers.

Squashing Shadow IT
How can your company avoid horror stories like these? Here are four ways to bring security priorities and employee behavior together:

  1. Policy and communication. Companies need a well-defined policy on the use of unsanctioned services and the protection of company data. But policy won't accomplish anything if it isn't communicated to employees. Offer regular training, including explanations of the rationale behind the policy and real-world risks.
  2. Open-minded onboarding. New employees often want to use the productivity tools that were helpful at their previous jobs, so onboarding must include the data security policy. But also use that moment to take new suggestions into account.
  3. What you don't know can hurt you. Survey employees regularly on the resources they're using to illuminate security risks before a breach occurs. If enough employees need a solution, IT should work to find an approved vendor that can securely fill that need.
  4. Partners, not police. Foster an ongoing conversation between employees and your company's security/IT departments about how to balance productivity with security. If your security team reflexively says "no" whenever employees want productivity-boosting tools, employees will just stop asking and use the tools anyway.

Companies can squash shadow IT risk, but they have to be willing to listen to their employees, create transparent guidelines, and encourage an open discussion on the best ways to be both productive and secure.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Adam Marrè, CISSP, GCIA, GCIH, is a Qualtrics information security operations leader and former FBI cyber special agent. Adam has more than 12 years experience leading large-scale computer intrusion investigations and consulting as a cybercrime ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
9/17/2018 | 7:32:17 PM
Shadow IT Senior Management has to step up
Shadow IT happens when policies and procedures prevent employees from doing their work. The case of the insecure chat app in the article is a perfect example.  Unsanctioned FTP clients and back door local user names and passwords are also symptoms of this.  

This happens when senior management refuses to budget for the tools needed to secure Identity and Access  Management in a way that lets employees work efficiently or when they don't buy into those intitiatives. Finally indadaquate IT and Security staff, or undertrained staff also feeds this evil weed. 

If you make it hard or impossible for employees to work efficiently, or fail to factor your kludgy (read often "budget friendly") infrastructure into performance goals, people will find a way to work efficiently.  And why wouldn't they? If I have to get spreadsheets or reports distributed to my supply chain vendors, and that is a poor, manual process that takes a lot of time, you bet I will find a quicker way.  Nobody EVER got a raise for following policy that requires a slow, inefficient process and no review ever says, this employee did less, but they did it securely so give them a bigger raise than the ones who cheated but were more productive.

If you want your people to adher to secure processes, make those processes MORE efficient than a hacked up back door.  

Start incentivizing good behavior  instead of bad, and you will be amazed how secure things become. 

It's just that simple. 

User Rank: Ninja
8/7/2018 | 6:45:14 PM
Shadow IT by any other name
Fine article from a veteran cybersecurity professional about an aspect that doesn't get enough attention.  Call it shadow IT, or something else, it comes down to data governance. 

Where Adam has "What you don't know can hurt you.", I'd add: You can't protect what you don't know you have.  You can't protect data unless you know you have it, and know where it's stored - EVERYWHERE it's stored: every copy, every version, every device, every service, every B2B partner, even the data which can be reconstituted from disparate stores and sources, even the bio-memory of your knowledge workers, past and present.  Too many places?  Next time, limit the places to where it's needed. 

For vast amounts of data, it's too late to regain control (control which was an illusion to begin with); but new data is generated all the time - you do have a chance to a better job of data governance with that.  However, if you don't have an understanding of the fundamental nature of data and information, you're bound to repeat the old mistakes even if you find new ways (or new ways find you), to do that.  Forget the idea of just protecting your "sensitive" data; in time, someone will find a way to make use of any data you leave unprotected to get at the crown jewels.

You have to start somewhere, start with this: don't put any data in front of anyone or on anything that doesn't need that specific data to do a specific job, and only while they are doing that specific task (not whenever they feel like it).  I mean a specific person, not a job title.   Make sure your authentication and authorization always resolves to an entity - not a type. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.