Shadow Apps – How Unsanctioned Technology Puts Organizations at Risk
Many organizations are unaware of this simple truth: if you have employees, you have shadow apps lurking around your IT estate. According to a report by Cisco, an eye-watering 80% of users use software not approved by IT. And alarmingly, only 8% of organizations know the true scope of shadow IT within their company .
What is Shadow IT?
Shadow IT refers to any technology, devices, or apps used within an organization without the knowledge or approval of the IT department. Shadow IT presents significant challenges for security teams because IT can’t protect against security vulnerabilities, they have no knowledge of. Left unchecked, shadow apps can cause real harm to organizations. According to Forbes, 21% of organizations have suffered a cyber event due to unsanctioned IT resources .
The recent rise in remote working is contributing to an increase in shadow IT, as employees seek ways to boost their productivity and reduce friction in their roles.
Examples of Shadow IT
Since “Shadow IT” is an umbrella term, it can encompass a wide range of apps and technologies, but here are a few common examples of shadow IT in the workplace:
- VOIP tools like Skype, Zoom, and Aircall – Cloud storage solutions like Dropbox, Google Drive, and Nordlocker.
- Unsanctioned physical devices like flash drives, external drives, or BYOD (bring your own device).
- Messaging apps like WhatsApp, Snapchat, Signal, and Telegram.
- Productivity apps like Trello, Slack, Asana, Evernote, and Toggl.
Why Shadow Apps Present a Huge Security Risk
Shadow apps vastly increase the organization’s cyber threat surface, providing cybercriminals more opportunities to steal data or install potentially catastrophic spyware and malware.
For example, suppose an employee needs to send a large file to a colleague but is blocked by the company’s attachment limits. If they decide to use unapproved software to get around this, the organization has now lost visibility and control over that data. If the unsanctioned app experiences a data breach or the employee leaves the organization without deleting the file, potentially sensitive information is now out there.
Employees also run the risk of using unpatched SaaS software or other tools that could contain known vulnerabilities that hackers are actively exploiting. In addition, shadow IT could also impact other IT infrastructure in unforeseen ways because IT teams have no way to test their impact on the complex IT ecosystem. Other significant risks include compatibility issues, out of control costs, and non-compliance (organizations could risk hefty fines for misuse of company data). For a recent example of the dangers of shadow apps in action, look no further than the 2020 True-caller bug that opened the doors for scammers . True-caller is an app that identifies callers and blocks scam calls. Unfortunately, a bug in the software allowed cybercriminals to modify their profiles, inserting a malicious link. When a user would click on the nefarious link, it would initiate a malware script that stole personally identifiable information (PII), including name, gender, job title, telephone number, work email, and more. The information of 45.7M users were sold on the dark web.
Next Steps
In a world of rising data breaches, it’s more important than ever for organizations to have a firm grip on their cybersecurity. Gaining complete insight into the shadow apps in your organization is paramount. Get in touch today to learn how we can help.