Shadow IT – the hidden danger for corporate data

Blog Cybersecurity
Pic Source: Martino Pietropoli via Unsplash

Smartphone, fitness watch and smart coffee machine are quickly logged into the company’s own WLAN. Cloud services can be used to transfer large amounts of data easily. However, this behavior can pose enormous risks for corporate data security.

What is shadow IT?

Shadow IT refers to programs or private devices that employees use unofficially in connection with company data. Unofficially means that the technology is used without consulting a responsible person – such as the CEO or IT manager – about it. Cloud services are a good example. Often, file attachments are too large to send via email. If an employee now uses a cloud service without permission to transfer company information to another device, this is the use of shadow IT. Likewise if he connects his private laptop to the company’s own W-LAN without permission.

In a survey conducted by IT security company Infoblox at the beginning of the year, it became clear that a large number of private devices connect to corporate networks every day in Germany. A third of companies said that more than 1,000 shadow devices log on to their network every day.

Why is it used?

Experience shows that most employees do not act out of malicious intent, but out of ignorance, user acceptance and convenience.

Ignorance

Hardly anyone expects a security risk when connecting the smart coffee machine to the corporate network. It is simply not perceived as a computer. Something similar can be observed when using programs or apps that people use in everyday life. People are so used to using them that the security of the application is no longer questioned in a professional context.

User acceptance

Employees install a computer program or app on their work cell phone primarily because they are convinced of its benefits in everyday work. A good example is project management: Here, work is often still done with Excel spreadsheets. Employees therefore often download programs that they know from their private lives, that they enjoy using and that they can operate intuitively.

Convenience

Convenience also plays a major role. Private devices are often connected to the corporate network because this means they don’t have to sacrifice their own data volume or the company WLAN is faster. With trends such as the use of private devices for work purposes (Bring Your Own Device), companies are also contributing to increased risk. By allowing employees to use their own laptops, tablets or phones, the company may save money, but what programs are installed on the devices and whether data is adequately secured is something they relinquish control over.

What’s so dangerous about shadow devices?

The problem with using shadow IT can be summed up fairly easily: You can’t secure what you don’t know. Every device, every program poses a potential security risk to corporate data. If managers don’t know of their existence, they can’t take the necessary security- or privacy-related precautions. For example, employees may not be made aware of the specific dangers of each technology, data protection settings may not be set, and security programs such as firewalls may not be set up properly or at all. Having more programs and devices also increases the attack surface for cybercriminals.

Each form of shadow IT has its own dangers. We have compiled the most common ones for you:

1. Downloading apps to the company computer or work phone.

When you download an app, you are usually asked for numerous permissions: Access to the address book, photos, documents, microphone and much more. This is exactly where an expert should check if an external company should have access to all this data. Also, the security status of the program should be assessed. If this is not done, the worst case scenario is that you download a malicious program or allow company data to be spied on. After all, confidential e-mails or sensitive data such as account information may also be on the company cell phone.

2. Connecting smart devices to the corporate network

If a private device is infected with viruses or spyware, then it also poses a threat to the company’s data security on the corporate network. Not to mention that the use of private devices can have a negative impact on bandwidth.