A new study has found that companies are at an increased risk of becoming targets of cyber incidents due to the use of shadow IT by their employees amid the growing trend towards a distributed workforce.

According to global research by Kaspersky, 82% of companies surveyed in South Africa suffered cyber incidents in the last two years – and 11% of these were caused by the use of shadow IT. This is over and above another 11% being caused by deliberate malicious behaviour by employees.

And a new study from the security specialists showed that, in the last two years, 11% of companies worldwide have suffered cyber incidents due to the use of shadow IT by employees. The consequences of the use of shadow IT can be diverse in their severity, but they are never insignificant – whether it’s the leak of a piece of confidential data or tangible damage to business.

What is shadow IT?

Shadow IT is the part of the company’s IT infrastructure that is outside the purview of the IT and Information Security departments – applications, devices, public cloud services etc. – but that is not being used in accordance with information security policies.

Deployment and operating shadow IT can lead to serious negative outcomes for businesses. Many instances were found in the Kaspersky study, which revealed that the IT industry had been the hardest hit suffering 16% of cyber incidents due to the unauthorised use of shadow IT in 2022 and 2023. Other sectors hit by the problem were critical infrastructure and transport & logistics organisations, which saw 13%.

The recent case of Okta clearly proves the dangers of using shadow IT. This year, an employee using a personal Google account on a company-owned device unintentionally allowed threat actors to gain unauthorised access to Okta’s customer support system.

Once there, they were able to hijack files containing session tokens that could then be used to conduct attacks. This cyber incident lasted for 20 days and impacted 134 companies’ customers, according to Okta’s report.

Outlining ‘blurry shadows’

So, when you are looking for shadow IT, what to look for? These can be either unauthorised applications installed on employee computers or unsolicited flash drives, mobile phones, laptops, etc.

But there are also some options that are less conspicuous. One example of this is abandoned hardware left over after the modernisation or reorganisation of the IT infrastructure. It can be used “in the shadows” by other employees, acquiring vulnerabilities that will sooner or later find their way into the company’s infrastructure.

Regarding IT specialists and programmers, as it often occurs, they can create a tailored program themselves to optimise work within a team/department or to solve internal problems, making work faster and more efficient. However, they don’t always ask the Information Security department for authorisation to use these programs, and this could have disastrous consequences.

“Employees who use applications, devices, or cloud services that are not approved by the IT-department believe that if those IT products come from trusted providers, they should be protected and safe,” says Alexey Vovk, head of Information Security at Kaspersky. “However, in the ‘terms and conditions’ third-party providers use the so-called ‘shared responsibility model’.

“It states that, by choosing ‘I agree’ users confirm that they will perform regular updates of this software and that they take responsibility for incidents related to the use of this software (including corporate data leakages).

“But at the end of the day, business needs tools to control the shadow IT when it’s used by employees,” Vovk adds.

In general, the situation with the widespread usage of shadow IT is complicated by the fact that many organisations do not have any documented sanctions where their employees will suffer as a consequence of going against IT policies in this matter. Moreover, it is assumed that shadow IT could become one of the top threats to corporate cybersecurity by 2025.

The good news is that the motivation for employees to use shadow IT is not always malicious – even more often, it’s the opposite. Employees in many cases use this as an option to expand the functionality of the products they use at work because they believe that the set of allowed software is insufficient, or they simply prefer the familiar program from their personal computer.