Shadow IT – Qui Custodiet Ipsos Custodes

17 Dec 2019

Just who is watching the watchmen…

Shadow IT. It sounds very underhand doesn’t it?

Put simply, shadow IT is the use of cloud services, hardware or software by a department or individual within an organisation without the knowledge, involvement or permission of said organisation.

‘The problem with living outside of the law is that you no longer have its protection.’
Truman Capote

Granted, that’s a little dramatic but the theory is sound, as is the question that all businesses need to ask: ‘Do you know what’s lurking within your environment or what your users are doing which they shouldn’t?’

Before we go on, it’s worth noting that we’re not suggesting that everyone who uses shadow IT cloud services, hardware or software have a sinister motive. The vast majority use it legitimately making their jobs easier, more efficient and/or simpler than what’s available (and vetted) through the IT department.


The Facts


  • According to Netskope’s Cloud Security Report published in August 2019, the average number of cloud services per enterprise increased 3.9% from October 2018 to 1,295, of which a staggering 96.3% (1,247) are not enterprise ready
  • More than 5,000 personal devices connect to enterprise networks every day with little or no endpoint security enabled in one of every three companies in America, the UK and Germany (Forbes)
  • More than 1,000 shadow IoT devices connect to enterprise networks every day in 30% of American, UK and German companies (Forbes)
  • 12% of UK organisations are seeing more than 10,000 shadow IoT devices connect to their enterprise networks every day (Forbes)
  • Associates most often use shadow IT devices to access social media (39%), followed by downloading apps (24%), games (13%), and films (7%). Hackers, organised crime and state-sponsored cybercrime organisations rely on social engineering hacks, phishing and malware injection across these four popular areas to gain access to enterprise networks and exfiltrate data (Forbes)
  • And here’s the odd one which appears to make no sense at all – 82% of organisations say they have introduced security policies governing the use of devices but just 24% of employees are aware of them. And here’s the clincher: 88% of senior IT executives believe their policies are effective…

Of course they do…


What Are We Up Against?


Like food and water for the rest of us, hackers, organised crime syndicates and state-sponsored cybercrime efforts thrive on gaps in threat surface and endpoint security.

Gary Cox, Technology Director of Infoblox is matter-of-fact; ‘With cybercriminals increasingly exploiting vulnerable devices, as well as targeting employees’ insecure usage of these devices, it is crucial for enterprise IT teams to discover what’s lurking on their networks and actively defend against the threats introduced.’

He suggests that the threats include:

A quick on-ramp for hackers to exfiltrate data from enterprise systems ‘Every personal device left unprotected on an enterprise network is an ideal threat surface for hackers and other malicious actors to infiltrate an enterprise network from. The most common technique is to use DNS tunnelling, which enables cybercriminals to insert malware or pass stolen information into DNS queries, creating a covert communication channel that bypasses most firewalls. Project Sauron was one particularly advanced threat, which allegedly went undetected for five years at a number of organisations that used DNS tunnelling for data exfiltration.’

Distributed DDoS attacks are often launched form a series of hijacked connected devices that are often the least protected threat surface on corporate networks It’s common for DDoS attacks to begin with malicious actors hijacking any vulnerable device they can to launch repeated and frequent queries that bombard the Domain Name Server (DNS) with the intent of slowing down its ability to process legitimate queries, often to the point that it can no longer function.

Creating and targeting Botnet armies using vulnerable IoT devices to attack organizations’ enterprise systems is increasing, according to Verizon’s latest 2019 Data Breach Investigations Report. Botnets are truly a low-effort attack that knows no boundaries and brings attackers either direct revenue through financial account,” according to Verizon’s 2019 study. Botnets are also being used to steal privileged access credentials to an enterprises’ systems that are being accessed from the same personal devices employees are using for social media access and shopping. There have been over 40,000 breaches initiated using botnets this year so far, according to Verizon. The report notes that a variant of the Mirai IoT botnet began scanning for vulnerable Drupal servers in April of this year and was successful in finding the most vulnerable systems globally to install cryptomining software. The attack is known of as Drupalgeddon2, and the scope of its vulnerabilities are still being discovered today.

Unsecured personal devices connected to enterprise networks are ransomware landing zones 70% of all malware attacks happen in healthcare according to Verizon’s 2019 Data Breach Investigations Report because patient health records are bestsellers on the dark web, ranging in price from $250 to over $1,000 per record. Ransomware is a form of malware that, once it takes over a computer or network, threatens to deny access to or destroy an organizations’ data. Ransomware can easily intercept an enterprise network after being accidently downloaded by an employee on either a business or personal device connected to network.


What Are We Doing About It?


Our portfolio of vendors have got it covered.

  • Netskope’s business model is effectively based on helping organisations tackle shadow IT and to control access and dataflows to and from sanctioned and unsanctioned applications
  • Mimecast has just released (web) App Visibility to their Secure Web Gateway (SWG) capabilities
  • OnDMarc by Redshift help companies to lock down unsanctioned use of their corporate email domains
  • Cymulate helps companies to assess the weak points in their infrastructure with actionable insight for improvement and remediation

According to Forbes tech writer Louis Columbus, ‘the most challenging aspect of securing the proliferation of shadow IT devices is protecting the multitude of remote locations that together form their distributed networks.’

The greatest challenge facing CISOs in 2020 is enabling network security. The benefits of BYOD (Bring Your Own Device) initiatives far outweigh the costs and the business case is overwhelmingly positive. However as we said, the challenge is relying on centralised IT security which currently isn’t scaling to support the proliferation of user devices with internet access which leaves employees and the business as a whole vulnerable.

Contact us today on or call 020 7078 0789 and we’ll talk cloud and email security, communications platforms, cutting-edge IT solutions or what’s better, a full programme of league football over the holidays or a month-long winter break…


Koncise Solutions

Go Back