5 Shadow IT Practices That Put Technology Companies at Risk
What is Shadow IT?
Shadow IT consists of projects conducted out of compliance with official company policies and without oversight from the company’s corporate IT function.
Unlike ransomware, spear phishing and other technology threats that largely attack from outside company walls, the risks of Shadow IT often start from within. Employees who conduct technology projects on a “Shadow” basis – outside official company policies and without company IT oversight – may be putting their company’s intellectual property and sensitive data at risk.
The practice of circumventing official IT channels can leave a virtual door open to hackers and cyber thieves, who see Shadow IT as a favorite playground for launching an attack. Cloud services and personal devices can lack adequate security measures and employees with non-technical backgrounds may not know how to properly protect data.
Business leaders are often drawn to Shadow IT projects for productivity, affordability and ease-of-use, a trend that is only likely to increase as employees are able to implement new technologies with minimal engineering help. Companies need to understand the risks of Shadow IT to manage and minimize the threats that it poses.
Here are 5 shadow IT practices that put technology companies at risk:
Practice #1: Substandard Development Techniques
Managers who engage in shadow application development may be operating with a dangerous knowledge deficit. Evaluating development of an application requires a good working knowledge of software architecture, design patterns and the latest secure programming techniques – skills few nontechnical managers possess. Not keeping up with the latest secure programming techniques could lead to security problems that result in a loss of sensitive data.
Practice #2: Over-Reliance on Shadow Cloud Provider Security
Technology managers may assume that cloud providers automatically handle all of their security needs out of the box. If the Shadow IT buyer doesn’t take the time to learn how to use cloud security features, it could leave the cloud environment vulnerable to attack. Security is a shared responsibility and cloud buyers must educate themselves and their teams on how to securely use the new infrastructure.
Practice #3: Unsecured Shadow File Storage
Employees can easily send files to their personal cloud space to work on them at home, but they may fail to take even the most basic security precautions when using these services. Hackers can defeat password protections and gain access to unencrypted personally identifiable information (PII) and protected health information (PHI). Administrators can’t monitor or audit the flow of this data, meaning that in the event of a breach, they can’t be sure which data has been compromised. In addition, the administrator can’t know if an employee’s personal account has been breached.
Shining a Light on Shadow IT
Download our white paper to gain insight into Shadow IT and its unique risk factors faced by technology companies.
Practice #4: Unsecured Shadow Mobility
A Bring Your Own Device (BYOD) culture can increase productivity but also introduce security risks, such as employees accessing corporate systems and data on their mobile devices with no security controls in place. Synchronizing between secured and unsecured devices (e.g., corporate laptop and personal tablet) creates another attack point for a cyber thief. Personal devices are also easy to lose, and if a corporate IT department cannot wipe a device remotely, a trained hacker can quickly capture unencrypted corporate data.
Practice #5: Use of Pre-Hacked Shadow IT Drives
Many makers of USB memory sticks, also known as “thumb drives,” do not protect the firmware, which is the embedded software that tells the device what to do when connected to a USB port. A type of weaponized thumb drive attack, known as “BadUSB” can send a sequence of commands to take control of the machine, giving it full administrator privileges. There are no known defenses for these types of USB attacks because malware-scanning software can’t access any USB firmware and its existence won’t show up on security logs.
These are just some of the practices that can put technology companies at risk of a data breach due to the use of Shadow IT. Understanding the risks – and anticipating new ones that will evolve along with technology – can help companies better protect themselves from current and emerging threats.