The risks unauthorised IT products pose to business

Kaspersky Security, Bulletin

Companies are at an increased risk of rhadamanthine targets of cyber incidents due to the use of shadow IT by their employees tween the growing trend towards a distributed workforce, a recent study has found. Equal to research by Kaspersky, in India, 89% of companies suffered cyber incidents in the last two years, and 20% of these were caused by the use of shadow IT.

A recent Kaspersky study showed that, in the last two years, 11% of companies worldwide have suffered cyber incidents due to the use of shadow IT by employees. The consequences of the use of shadow IT can be diverse in their severity, but they are never insignificant, whether it’s the leak of a piece of confidential data or tangible forfeiture to a business.

So, what is shadow IT?

Shadow IT is the part of the company’s IT infrastructure that is outside the purview of the IT and Information Security departments, i.e. applications, devices, public deject services, etc. but that is not stuff used pursuit information security policies. Deployment and operating shadow IT can lead to serious negative outcomes for businesses. Many instances were found in the Kaspersky study, which revealed that the IT industry – had been the hardest hit, suffering 16% of cyber incidents due to the unauthorized use of shadow IT in 2022 and 2023. Other sectors hit by the problem were hair-trigger infrastructure and transport & logistics organizations, which saw 13%.

Recent specimen of Okta proves the dangers of using shadow IT. This year, an employee using a personal Google worth on a company-owned device unintentionally unliable threat actors to proceeds unauthorized wangle to Okta’s consumer support system. There they were worldly-wise to hijack files containing session tokens that could then be used to self-mastery attacks. This cyber incident lasted for 20 days and impacted 134 visitor customers equal to Okta’s report.

Outlining ‘blurry shadows’

So, when you are looking for shadow IT, what to squint for? These can be either unauthorized applications installed on employee computers, or unsolicited wink drives, mobile phones, laptops, etc.

But some options are less conspicuous. One example of this is x-rated hardware left over without the modernisation or reorganisation of the IT infrastructure. It can be used ‘in the shadows’ by other employees, acquiring vulnerabilities that will sooner or later find their way into the company’s infrastructure.

Regarding IT specialists and programmers, as it often occurs, they can create a tailored programs themselves to optimize work within a team/department, or to solve internal problems, making work faster and increasingly efficient. However, they don’t unchangingly ask to the Information Security department for passport to use these programs, and this could have disastrous consequences.

“Employees who use applications, devices or deject services that are not tried by the IT-department, believe that if those IT-products come from trusted providers, they should be protected and safe. However, in the ‘terms and conditions’ third-party providers use the so-called ‘shared responsibility model’. It states that, by choosing ‘I agree’ users personize that they will perform regular updates of this software and that they take responsibility for incidents related to the use of this software (including corporate data leakages). But at the end of the day merchantry needs tools to tenancy the shadow IT when it’s used by employees. The Information Security department will of undertow still need to self-mastery regular scans of their company’s internal network to stave the unauthorized use of uncontrolled and unsafe hardware, services and software applications.” comments Alexey Vovk, Head of Information Security at Kaspersky.

In general, the situation with the widespread usage of shadow IT is complicated by the fact that many organizations do not have any documented sanctions where their employees will suffer as a magnitude of going versus IT policies in this matter. Moreover, it is unsupportable that shadow IT could wilt one of the top threats to corporate cybersecurity by 2025. The good news is that the motivation for employees to use shadow IT is not unchangingly malicious, plane increasingly often, it’s the opposite. Employees in many cases use this as an option to expand the functionality of the products they use at work considering they believe that the set of unliable software is insufficient, or they simply prefer the familiar program from their personal computer.