Companies are at an increased risk of becoming targets of cyber incidents due to the use of shadow IT by their employees amid the growing trend towards a distributed workforce, a recent study has found. According to research by Kaspersky, in India, 89% of companies suffered cyber incidents in the last two years, and 20% of these were caused by the use of shadow IT.
A recent Kaspersky study showed that, in the last two years, 11% of companies worldwide have suffered cyber incidents due to the use of shadow IT by employees.
Shadow IT is the part of the company’s IT infrastructure that is outside the purview of the IT and Information Security departments, i.e. applications, devices, public cloud services, etc. but that is not being used following information security policies.
Deployment and operating shadow IT can lead to serious negative outcomes for businesses.
Many instances were found in the Kaspersky study, which revealed that the IT industry – had been the hardest hit, suffering 16% of cyber incidents due to the unauthorized use of shadow IT in 2022 and 2023. Other sectors hit by the problem were critical infrastructure and transport & logistics organizations, which saw 13%.
Recent case of Okta proves the dangers of using shadow IT. This year, an employee using a personal Google account on a company-owned device unintentionally allowed threat actors to gain unauthorized access to Okta’s customer support system. There they were able to hijack files containing session tokens that could then be used to conduct attacks. This cyber incident lasted for 20 days and impacted 134 company customers according to Okta’s report.
Shadow IT can appear in a variety of forms within a company. For example, it can be unauthorized applications installed on employee computers or unsolicited devices such as flash drives or mobile phones. Sometimes, it can even be abandoned hardware left over after the modernization or reorganization of the IT infrastructure. IT specialists and programmers can also contribute to the problem by creating their own tailored programs without obtaining authorization from the Information Security department.
Employees may use shadow IT to expand the functionality of products used at work, believing that trusted providers offer safe and protected software. However, third-party providers often use a “shared responsibility model” that states users are responsible for updating the software and handling incidents related to its use.
It is crucial for businesses to have tools that can control and monitor shadow IT when used by employees. Kaspersky recommends using its Endpoint Security for Business and Endpoint Security Cloud, which offer functions to limit the use of unsolicited apps, websites, and peripherals. However, organizations also need to have policies in place to address shadow IT and educate their employees on the risks involved.
The motivation for employees to use shadow IT is not always malicious, as they may do it to expand the functionality of products or to solve internal problems. To mitigate the risks of using shadow IT, Kaspersky recommends ensuring cooperation between IT departments and businesses to discuss new needs, conducting regular inventories of IT assets, implementing access controls, conducting training programs, and using products and solutions that can control the use of shadow IT.