Learning Library

← Back to Library

Shadow IT: Hidden Risks Exposed

10mUnknown ChannelsecuritytutorialintermediateWatch on YouTube ↗

Key Points

  • Shadow IT refers to any software, hardware, or IT resources used within an enterprise network without the IT department’s knowledge, distinct from malicious malware because it’s deployed by authorized users.
  • Common examples include employees sharing files via personal Dropbox or thumb drives, using non‑standard video‑conferencing tools like Zoom instead of the corporate platform, and connecting personal mobile devices or laptops to the corporate network.
  • Workers gravitate toward Shadow IT because it offers rapid adoption, perceived superior functionality, and flexibility that aligns with client or partner collaboration needs, with roughly 80 % preferring these unsanctioned solutions.
  • This hidden, un‑managed ecosystem expands the organization’s attack surface—studies show a 30 % increase in exposed assets during attack‑surface reviews—and is a major factor in data‑breach risk, contributing to an average U.S. breach cost of about $9.4 million.
  • The proliferation of disparate Shadow IT tools scatters data across multiple platforms, leading to data inconsistency, insecure storage, and heightened vulnerability to adversaries.

Sections

Full Transcript

# Shadow IT: Hidden Risks Exposed **Source:** [https://www.youtube.com/watch?v=yvPc3_wivA8](https://www.youtube.com/watch?v=yvPc3_wivA8) **Duration:** 00:10:08 ## Summary - Shadow IT refers to any software, hardware, or IT resources used within an enterprise network without the IT department’s knowledge, distinct from malicious malware because it’s deployed by authorized users. - Common examples include employees sharing files via personal Dropbox or thumb drives, using non‑standard video‑conferencing tools like Zoom instead of the corporate platform, and connecting personal mobile devices or laptops to the corporate network. - Workers gravitate toward Shadow IT because it offers rapid adoption, perceived superior functionality, and flexibility that aligns with client or partner collaboration needs, with roughly 80 % preferring these unsanctioned solutions. - This hidden, un‑managed ecosystem expands the organization’s attack surface—studies show a 30 % increase in exposed assets during attack‑surface reviews—and is a major factor in data‑breach risk, contributing to an average U.S. breach cost of about $9.4 million. - The proliferation of disparate Shadow IT tools scatters data across multiple platforms, leading to data inconsistency, insecure storage, and heightened vulnerability to adversaries. ## Sections - [00:00:00](https://www.youtube.com/watch?v=yvPc3_wivA8&t=0s) **Shadow IT: Risks and Realities** - The passage defines shadow IT as unsanctioned software, hardware, or services used by employees—distinguishing it from malware—illustrates common examples (personal cloud storage, alternative video‑conferencing tools, personal devices), and warns that its widespread, fast‑adopting use poses significant security, compliance, and operational challenges for enterprises. ## Full Transcript
0:00are you aware of the risks lurking 0:02within your technology landscape join us 0:04today as we uncover the truth behind 0:07Shadow I.T and how it can impact your 0:09security compliance and operational 0:11efficiencies 0:13in today's session we will explore some 0:15real world examples that illustrates 0:17what shadow I.T entails its underlying 0:20causes potential benefits and inherent 0:23risks 0:24let's start off with have you heard of 0:27Shadow I.T 0:30and how it's a big problem for 0:33Enterprise businesses 0:35it refers to Software 0:37Hardware 0:39or it resources that are in the 0:42Enterprise Network 0:44without your it teams knowledge 0:47and it's very important for us to 0:49differentiate Shadow I.T with malicious 0:51assets because Shadow I.T is not malware 0:55per se 0:57it is unsanctioned resources deployed by 1:00your authorized users 1:04here's a few examples to really paint 1:06the picture 1:08let's say your employees are sharing 1:10files from their own personal Dropbox or 1:13thumb drive instead of using the company 1:15approved file sharing system 1:18or they're possibly joining meetings in 1:20Zoom instead of the company standard 1:23which may be WebEx 1:25or even using innocuous grammar checks 1:28or maybe using their own personal mobile 1:30and laptop devices in the Enterprise 1:33Network 1:35unfortunately for businesses and their 1:38security teams around 80 percent of 1:40employees are preferring to use Shadow 1:42I.T because of its quick adaptability 1:45and adoption across the team as well as 1:48its perceived Superior functionality 1:51some of the employees may even be 1:53recommended to use these different 1:55platforms and applications from their 1:57clients and partners maybe to enhance 2:00collaboration on projects per se 2:04the trend here that highlights for us is 2:07that there is a high demand in 2:09efficiency and flexibility in today's 2:11Workstation 2:15the flip side here is that as I 2:17mentioned before Shadow it is operating 2:19outside the awareness and protection of 2:23the IT team 2:24so any vulnerabilities that could have 2:26been tied to them have gone unaddressed 2:28making Shadow I.T Prime targets for 2:31adversaries 2:32and according to the article published 2:34in 2023 by IBM the average cost of a 2:38data breach in a U.S company is around 2:409.4 million dollars the reason why I'm 2:43bringing this up is because Shadow I.T 2:45is actually a key component that 2:47increases the likelihood of a data 2:49breach 2:53now let's dive into some key points on 2:55Shadow I.T such as the risks and 2:57challenges that it brings forth here's 2:59what you need to know 3:08there is increase in exposure 3:13on average organizations that undergo an 3:16attack surface management review 3:17discover that they have 30 percent more 3:19exposed assets than they were initially 3:21aware of and as mentioned since there's 3:24so many new assets that are coming into 3:25their Vision there was a lot of 3:27vulnerabilities that could have gone 3:29under their radar as well making it a 3:31key risk to the business 3:35another risk is data insecurity 3:44with storing and accessing data across 3:47multiple Shadow I.T applications and 3:49devices it poses the concern of data in 3:53consistency because you're having this 3:55data scattered across multiple different 3:57resources and they could be accessed and 3:59distributed as an official invalid and 4:02outdated data 4:07another risk is compliance 4:14with regulations out there such as HIPAA 4:17PCI DSS and gdpr they have very strict 4:21regulations on handling personally 4:23identifiable information and if you're 4:25not compliant you could risk paying a 4:27hefty fee you could risk your own 4:29reputation being on the line and even 4:31facing legal action against your 4:33business 4:36and last but definitely not least 4:38because there's a whole lot of risks out 4:40there with Shadow I.T but the fourth one 4:42that we're going to be exploring today 4:43is business efficiencies 4:48thank you 4:53not all of Shadow I.T or multiple 4:56different applications and resources 4:57that are Shadow I.T is going to 4:59seamlessly integrate into your it 5:01infrastructure and this could really 5:03hinder workflows and the sharing of 5:05information because if your it 5:07Department steps in and tries to change 5:08anything on the network or any 5:10connecting resources it could really 5:13impede or completely disrupt a relied 5:15upon Shadow I.T process from executing 5:18that the team really relies on to 5:19continue their workflow 5:22with all of these risks in mind I also 5:24want to pull out a stat here from a an 5:27article published in 2022 which covers 5:30the surface the state of attack surface 5:32management 5:33and 5:34it shows that eight 5:39in 10 5:41that's right 8 and 10 organizations have 5:44fallen victim to Shadow I.T compromise 5:46within the last year and even though the 5:49risks are very apparent and they've only 5:51been increasing so has the usage of 5:54Shadow I.T because employees now have 5:57very simple and easy access to SAS based 6:00platforms they're also using their 6:02personal mobile and laptop devices on 6:05the Enterprise Network with the shift to 6:07the remote Workforce so that's also a 6:10very scary but transparent view for us 6:12to have on the risks that shadow I.T can 6:14bring forth 6:18now with a clear understanding of the 6:20risks of Shadow I.T it's also important 6:22for us to consider the benefits that may 6:24come to the team and the company for us 6:26to address it accordingly so let's cover 6:28some of the benefits 6:36starting off 6:38with an increase in agility 6:42so Shadow I.T enables your employees to 6:45adapt quickly and adopt two different 6:48platforms that they choose so they're 6:51also leveraging new technologies that 6:53are going to increase the agility of the 6:55business 6:58there's also the benefit of an increased 7:01flexibility 7:03with your employees because now that 7:06they're leveraging what they deem are 7:08the tools that best fit their role 7:10they're performing in a more productive 7:12way and they're also having a more 7:15exciting experience that they're more 7:18satisfied with 7:24another benefit here is streamlining 7:30your it assets because with Shadow I.T 7:33it's reducing the cost and resources you 7:36need to onboard new it assets onto your 7:39company 7:44so taking the risks and benefits into 7:47account it's time for us to effectively 7:49mitigate Shadow I.T 7:51now let's talk about mitigations 7:58so we've seen that even though there are 8:00a lot of risks tied to Shadow I.T we 8:03can't ignore the benefits that the team 8:04gives back for us as feedback we don't 8:07want to completely eliminate Shadow I.T 8:09because we see that a lot of them maybe 8:11work more productively and they're more 8:13satisfied with their workflow so to 8:16address that we can then bring Shadow 8:18I.T 8:19that we currently have identified along 8:21the way 8:22and align it 8:25with our current standard 8:30it 8:31security 8:34protocols 8:37so while still taking the team's 8:39feedback into the benefits while still 8:41keeping a priority on security 8:46another mitigation is implementing 8:49different tools that are out there to 8:50really help us addressing Shadow I.T 8:52such as ASM or attack service Management 8:55Solutions that will continuously monitor 8:58our internet facing assets or anything 9:00that has been exposed along the way to 9:02also discover and identify the 9:03vulnerabilities there so you can assess 9:05them and mitigate them accordingly 9:11another tool is going to be Cloud asset 9:14security brokers 9:17this tools allows you to establish 9:19secure connections between your 9:22employees and your Cloud assets while 9:24also implementing security measures such 9:26as encryption access controls and 9:30malware detections along the way and it 9:33also has some abilities to continuously 9:35fetching your Cloud assets so anything 9:38that had been previously unknown will 9:40come to light 9:41by understanding the risks and benefits 9:44that comes with Shadow I.T and 9:46implementing the appropriate security 9:47measures organizations can harness the 9:50advantages while mitigating the 9:52vulnerabilities ensuring security and 9:54efficiency in their technology landscape 9:58thank you if you like this video and 10:00want to see more like it please like And 10:02subscribe if you have questions please 10:04drop them in the comments below