Randori named leader in Attack Surface Management in GigaOm ASM Radar Report

February 6, 2023

3 Shadow IT Trends Security Teams Need to Know

By: Randori Blog

Share on facebook
Share on twitter
Share on linkedin

For as long as corporations have enforced acceptable usage policies (AUP), employees have tried to bypass them. But three key trends are making shadow IT more dangerous.

Shadow IT is not just a technological problem. It’s also a people problem.

Shadow IT happens when users cannot, or prefer not to, do their jobs with the applications or devices provided by their employer. While this can result from preference, it often happens due to necessity. More than 9 in 10 employees feel pressure to put business continuity over security. 

Either way, shadow IT has become extremely widespread, so much so that 97% of the cloud apps used by enterprise workforces can be considered shadow IT.

Ask any employee in a modern enterprise if they have used applications outside their AUP, and the answer will probably be yes. 

For example, users who need to share large files might buy their own Dropbox subscription rather than use an employer-provided secure file-sharing service with a lower capacity. Or a team familiar with the Google Suite might use that instead of their organization’s SharePoint service. 

The problem with shadow IT is that shadow IT devices and applications are often misconfigured and unknown to security teams.

The risk shadow IT creates is immense. A study from 2020 found that as many as 49% of all cyber-attacks involve shadow IT assets.

Unfortunately, modern IT environments are making the problem of shadow IT even worse. Here are three shadow IT trends that security teams need to be aware of and one important step they need to take to solve them.

1. Faster Rates of Change Make Shadow IT Worse

Over the past three years, the rate of change within organizations has accelerated dramatically. To keep pace, users keep taking shortcuts IT teams don’t know about. Nearly 4 in 10 organizations claim that change is one of their most significant cyber security challenges. 

Since the pandemic, digital transformation has gone from a buzzword to a core priority for almost every organization. The results to date have been mixed. 

On the one hand, organizations discovered new ways to serve customers and maintain business continuity. Even traditional digital laggards like schools and healthcare providers found ways to help clients and keep staff engaged remotely.

Less positive is that thousands of organizations have rushed a move to distributed working and services, leaving security controls and staff tool sets lagging. 

Proof of this is that in one recent survey from The Economist Intelligence Unit, 83% of IT and business leaders said that they needed better apps and infrastructure to adapt to change. 

Employees, who tend to see AUPs as restrictive rule sets rather than security guard rails, do not wait for management to approve new applications. Younger generations are particularly impatient. Over 40% of millennials will quit their jobs if they feel the technology their employers’ mandate is not up to par.

2. IT Teams Are Shadow IT Power Users

The worst shadow IT offenders are often IT teams themselves.  

It seems counterintuitive, but IT teams (who are responsible for enforcing usage policies) are more likely to enable shadow IT than the general population of users they support.  

  • A 2022 study showed that 58% of IT teams used unapproved equipment or applications to get their job done. 
  • This is compared to only 38% of general users.

This surprising finding has a lot to do with the realities of frontline IT support work. When approved systems fail to deliver on user needs and ticket backlogs grow, understaffed IT professionals can come under significant pressure to enable workarounds. 

This problem can be particularly acute in organizations that are subsidiaries of larger organizations. It’s not uncommon for IT teams in distant subsidiaries to operate entire shadow networks and even take steps to fool auditors from their corporate HQ.

These scenarios are often found in organizations acquired following a merger and acquisition (M&A) event.

Some IT teams also encourage shadow IT as a way to find new solutions and boost productivity. A 2020 survey of 1,000 U.S.-based IT professionals found that over 74% considered shadow IT a positive trend. 34% said there were no apparent consequences for anyone within their organization using shadow IT in the first place. 

3. Shadow IT Is Now (Mostly) a Cloud Problem

The real shadow IT is not just devices connected to your network but the cloud applications and SaaS accounts that users sign up for without the IT team’s knowledge.

An organization’s known cloud assets and accounts are only a small subset of the accounts and services that employees use to do their jobs. 

A typical organization could have several hundred times more cloud applications in use than they know about. In fact, as much as 97% percent of all cloud applications used in a typical enterprise may be shadow IT.

These unknown, cloud-connected assets are highly likely to be misconfigured and pose a significant risk to organizations in every sector.

Research shows that 45% of all breaches occur in the cloud, but with so many assets outside security teams’ viewpoint, the real figure is likely even higher. 

To Fight Back Against Shadow IT Trends, Take a Risk-Based Approach

Organizations cannot stop shadow IT growth. However, they can mitigate its impact on their security posture.

The truth about shadow IT trends is that they are on an upward trend as the number of unknown devices, assets, and accounts connected to corporate networks grow. 

Scanning your external attack surface will likely highlight hundreds of shadow IT applications and accounts. It also poses a tricky question: which ones do you focus on first?

The only way to do this is to take a risk management approach to shadow IT. This means finding and focusing on the shadow IT assets that pose the most danger, not just those that are easiest to remove.

For example, it might be easy to remove an obscure app that someone in finance is using to share revenue forecasts and chalk that up as a shadow IT mitigation “win.” But this might overlook actually dangerous activities, like an entire dev team running assets in an unsecured cloud environment. 

Genuinely effective shadow IT mitigation finds and removes shadow IT issues that real-world attackers are likely to exploit. 

Reducing Shadow IT Risk with Randori

The Randori Attack Platform is a powerful solution for helping security teams find and prioritize shadow IT risks.

Randori helps you reduce shadow IT risk by:

  • Finding shadow IT assets on both IPV4 and IPV6 addresses.
  • Prioritizing assets to remediate based on what an attack is likely to target first.
  • Spotting unexpected changes to your attack surface.

Randori looks for the same vulnerabilities and weaknesses that attacks do and helps you find and fix them before attackers reach them. 

Learn more about how Randori can reduce your shadow IT risk. 

Gain an Attacker's Perspective

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.