In the evolving landscape of cybersecurity, the emergence of shadow IT has become a significant concern for organizations worldwide. A recent study by Kaspersky underscores the growing risks associated with this phenomenon, particularly in the context of a distributed workforce. The study reveals a startling statistic: 77% of companies have suffered cyber incidents in the last two years, with 11% of these incidents directly attributed to the use of shadow IT.
Shadow IT refers to the use of applications, devices, and services within a company’s IT infrastructure that are not managed or monitored by the official IT and Information Security departments. This often includes unauthorized applications on employee computers, unsolicited external devices, or even custom software created by IT specialists without proper authorization. The use of shadow IT can lead to severe security vulnerabilities, ranging from data leaks to significant business damage.
The Kaspersky study highlights that the IT industry has been particularly affected, with 16% of cyber incidents in 2022 and 2023 linked to shadow IT. Critical infrastructure and transport & logistics sectors are also notable victims, each suffering 13% of such incidents. A striking example of the dangers of shadow IT is the recent Okta incident, where an employee’s use of a personal Google account on a company device led to a 20-day security breach impacting 134 customers.
Identifying shadow IT can be challenging. It’s not just about unauthorized apps but also encompasses abandoned hardware or tailored programs created by employees to enhance productivity. These elements, while seemingly harmless, can introduce vulnerabilities into the company’s infrastructure.
Many organizations lack documented sanctions for violations of IT policies, further complicating the issue. Employees often turn to shadow IT not out of malice, but to overcome perceived limitations in approved software or out of preference for familiar tools. This tendency could position shadow IT as one of the top threats to corporate cybersecurity by 2025.
The Kaspersky study serves as a wake-up call to organizations worldwide. As the trend towards a distributed workforce continues, it’s imperative for companies to reassess their IT policies, implement robust monitoring systems, and educate employees about the risks of shadow IT. Only through a comprehensive approach can organizations hope to safeguard their digital assets against the hidden dangers lurking in the shadows of their own IT infrastructure.
To mitigate the risks of using shadow IT in an organization, Kaspersky recommends:
- Ensure cooperation between the business and IT departments to regularly discuss new business needs, obtain feedback on the IT services used, in order to create new and improve existing IT services needed by the business.
- Regularly conduct an inventory of IT assets and scan your internal network to avoid the appearance of uncontrolled hardware and services.
- When it comes to personal employee devices, it’s best to give users as limited access as possible to only the resources they need to do their job. Use an access control system that will only allow authorized devices onto the network.
- Carry out training programs to improve the information security literacy of employees. To boost security awareness among employees, educate them with the Kaspersky Automated Security Awareness Platform training program, which teaches safe internet behavior.
- Invest in relevant training programs for IT security specialists. Kaspersky Cybersecurity for IT Online training helps build up simple yet effective IT security-related best practices and simple incident response scenarios for generalist IT admins, while Kaspersky Expert Training equips your security team with the latest knowledge and skills in threat management and mitigation.
- Use products and solutions that allow you to control the use of shadow IT within your organization. Kaspersky Endpoint Security for Business and Kaspersky Endpoint Security Cloud offer Application, Web and Device controls which limit the use of unsolicited apps, websites and peripherals, significantly reducing infection risks even in cases where employees use shadow IT or make mistakes due lack of cybersafe habits.
- Regularly conduct an inventory of IT assets to eliminate the appearance of abandoned devices and hardware.
- Organize a centralized process for publishing self-written solutions so that IT, so Information Security specialists learn about them in a timely manner.
- Limit the work of employees with third-party external services and if possible, block access to the most popular cloud information exchange resources.