Shadow IT: Combatting Hidden Risks Across Your Growing Attack Surface

As the fast-paced business environment drives employees to seek productivity-boosting solutions, many are turning to unauthorized "shadow IT" tools. A recent report¹ found that 65% of all Software as a Service (SaaS) applications are unsanctioned, creating significant challenges for IT professionals managing this SaaS sprawl. Moreover, 35%² of data breaches last year involved shadow data highlighting the difficulties in monitoring and protecting the growing volume of untracked information. 

The rise of Shadow IT poses serious potential security risks, compliance challenges, and financial liabilities for organizations. This article will explore common use cases of shadow IT, its impacts, prevention strategies, and identification methods within your organization.

What is Shadow IT?

Shadow IT refers to digital tools, services, or devices that employees use without the knowledge or approval of the IT and security teams. These unauthorized technologies are deployed by authorized users, not malicious external actors. While often arising from good intentions to boost productivity or convenience, these unmonitored resources can pose significant security risks if not properly secured and managed.

These unmonitored resources often have vulnerabilities, such as default passwords or improper configurations. Factors contributing to this trend include employee preferences, a lack of security awareness, and the need for customization and convenience in specific work scenarios.

Examples of Shadow IT include:

• Messaging Apps: Popular platforms like WhatsApp, Slack, Microsoft Teams, Telegram, Discord, Facebook Messenger, Signal, and Skype are frequently used by employees on work devices, despite not being officially sanctioned by IT.
• Personal Devices: Employees often use personal devices (BYOD), such as flash drives and smartphones, for storing and sharing sensitive business information, posing security threats.
• Cloud File Storage: Many turn to convenient services like OneDrive, Dropbox, and Google Drive for file sharing without notifying the IT department, increasing the risk of data exposure.
• Efficiency Tools: Tools like ChatGPT, Grammarly, Trello, Asana, Airtable, and Monday can enhance productivity but may lack integration with secure corporate IT infrastructure.
• Email: Employees sometimes send work-related files through personal email accounts, introducing potential security breaches.
• Conferencing: Unsanctioned videoconferencing tools like Google Meet, Zoom, or Webex may compromise secure communication protocols.
• IoT Devices: Smart, network-connected devices like cameras, wireless printers, smart TVs, and badge readers can introduce vulnerabilities if not correctly managed by IT.
• Subnets: As organizations grow or merge, new routable subnets may be added to the digital ecosystem without the knowledge or oversight of the IT team, potentially creating blind spots and security risks.

Addressing Shadow IT proactively is crucial for enhancing security and maintaining control over the organization’s digital landscape.

Why is Shadow IT Growing?

The rise of shadow IT can be attributed to several factors, primarily the need for efficiency and frustration with rigid IT processes. Employees often turn to unauthorized solutions, such as unapproved collaboration tools, to navigate these obstacles. This issue has been further intensified by the recent increase in remote work.

The widespread availability of free user-friendly cloud services is another major contributing factor. These easily accessible applications allow employees to implement tools without going through official IT channels, leading to a proliferation of unsanctioned "shadow IT" within organizations. Furthermore, the adoption of generative AI models, third-party applications, Internet of Things (IoT) devices, and SaaS applications across the organization is expanding the attack surface and putting pressure on security teams.

Additionally, the adoption of DevOps practices has played a significant role in the rise of shadow IT. Cloud and DevOps teams typically prioritize speed and agility over strict processes, which can conflict with the visibility and control that security teams require. As a result, developers may create cloud workloads using personal credentials—not out of malice, but because the formal approval channels can slow them down and risk missed deadlines.

The Unseen Shadow IT Risks You Can Not Ignore

While shadow IT offers certain advantages, companies must not overlook the significant risks posed by unauthorized tools, apps, or devices that can provide cybercriminals with access points. As organizations confront an ever-more ominous threat environment, it is crucial to mitigate the risks introduced by shadow IT, which include:

1. Losing control and visibility

Recent Enterprise Strategy Group (ESG) research³ reveals that 76% of organizations surveyed experienced a cyberattack due to the exploitation of unknown, unmanaged, or poorly managed internetfacing assets.  Unauthorized tools spread business data across platforms, causing inconsistency and complicating traceability. Such data often isn't backed up per corporate policies, making it difficult to control if an employee leaves. This shadow supply chain can lead to lost access to cloud-based data if accounts are hacked or workstations infected. For example, sharing documents through personal Dropbox, Gmail, or WhatsApp can exacerbate these issues.

2. Expansion of the attack surface

Though data loss is an important concern for organizations, data theft is perhaps an even bigger risk. With every instance of shadow IT, the organization’s attack surface is expanded. Since shadow IT is not visible to the IT or cybersecurity team, these assets are not protected by the organization’s cybersecurity solutions, such as endpoint detection and response (EDR), next-generation antivirus (NGAV), or threat intelligence services. Further, shadow IT services are often created using weak or default credentials and may be subject to misconfigurations, all of which can be exploited by adversaries and used as a pathway into the organization’s broader corporate network.

3. Malware and ransomware attacks

Shadow IT tools heighten an organization's risk of malware and ransomware attacks due to poor security hygiene and lack of protection from cybersecurity solutions. These tools often use weak credentials, increasing vulnerability to malware, data leaks, and breaches. According to Cequence⁵, 31% of malicious requests in 2022 were aimed at shadow APIs, totaling 5 billion out of 16.7 billion.

4. Data loss

Data and assets stored in personal employee accounts are inaccessible to the company, and if an employee leaves, they may retain access to cloud-based resources, causing the business to lose control. Additionally, shadow IT often operates outside of corporate policies, meaning data stored in cloud servers may not be properly backed up, archived, or encrypted according to company standards. This increases the risk of data theft, as the organization cannot control what data is being stored or downloaded in these unsanctioned applications, potentially exposing the business to malware. The costs to the business from these risks can exceed monetary fines, as the loss of control and visibility can lead to serious data breaches and compliance issues.

5. Increased cost

Though employees may adopt Shadow IT solutions to reduce costs, the long-term impact often undermines the organization. IBM² research shows data breaches involving shadow data cost an average of $5.27 million - 16.2% more than breaches without shadow data. These breaches also took 26.2% longer to identify and 20.2% longer to contain on average. Beyond direct breach costs, Shadow IT incurs indirect expenses through non-compliance fines, reputational harm, and the substantial IT effort required to migrate or discontinue unauthorized services.

6. Regulatory compliance issues

Rogue apps and services make it challenging to maintain compliance, as network blind spots can turn into governance issues. In industries subject to cyber regulations like SEC requirements, DORA, HIPAA, and NIS 2 in the EU, shadow IT creates additional audit points where improper data management by third parties could result in costly lawsuits, fines, or penalties for non-compliance.

7. Damage to reputation

Shadow IT, or the use of unauthorized tools, can undermine an organization's ability to protect sensitive information. When employees communicate with vendors or customers via unapproved applications, it suggests weak governance and control, damaging the organization's trust and credibility. Also, using shadow IT may lead to disruptions due to incompatibility or integration issues. This impacts the quality of service delivery, harming an organization’s reputation.

Mitigating Shadow IT Risks

To effectively mitigate the risks of shadow IT, your organization should adopt a comprehensive strategy that includes the following approaches:

1. Risk Assessment: To address the root causes, engage with various business units, and identify the pain points driving employees to seek unauthorized solutions. Then, streamline IT processes to reduce friction and make it easier for employees to complete their tasks through approved channels, minimizing the temptation to bypass security measures.
2. Awareness and Training: Educate employees about the risks of shadow IT and provide approved alternatives. Foster a culture of collaboration and open communication between IT and business teams, encouraging employees to seek guidance when selecting technology solutions.
3. Develop Policies: Establish clear, comprehensive policies that define and communicate guidelines for the appropriate use of personal devices, software, and services. Enforce consequences to ensure compliance and accountability for any policy violations.
4. Employ technology: Implement discovery and monitoring tools that allow your IT team to continuously identify all unknown and unmanaged assets. By adopting External Attack Surface Management (EASM) tools, you can gain a centralized view of your organization's external-facing digital footprint, enabling you to effectively plan and execute remediation to address security gaps and minimize the impact of shadow IT.

EASM: A powerful method to shed light on the shadows

The ZeroFox external cybersecurity platform combines the power of AI, full-spectrum intelligence services, and takedown and incident response capabilities. Our External Attack Surface Management (EASM) solution adds powerful continuous discovery, identification, and inventory capabilities to protect your expanding external attack surface, including:

• Discover and inventory digital assets
• Analyze and prioritize exposures and vulnerabilities
• Combat asset sprawl and shadow IT
• Detect data leakage
• Reduce phishing and social engineering attacks
• Adhere to regulatory compliance requirements
• Visualize your external digital risk from one view

Although shadow IT may appear beneficial, it introduces security vulnerabilities and compliance challenges that cannot be overlooked. Discovering and securing digital assets is essential for adhering to regulations and sustaining efficient workflows.

¹ BetterCloud, State of SaaSOps 2024

² IBM, Cost of a Data Breach Report 2024

³  Enterprise Strategy Group, The Intersection of Attack Surface Management, Cyber-threat Intelligence, and Digital Risk Protection, February 2024

⁴  Cequence, API Protection Report Second Half 2022 Findings

Tags: External Attack Surface Management