Shadow IT: COMPLEXITY

Many people's shadow casting onto a brick road

Your IT department is doubtlessly doing its best to keep all sensitive data out of the hands of malicious actors. But in order to do this, they will need to be aware of all technologies that are used within your organization. Any type of IT system, device, software, app or service that doesn’t have the approval of the IT department is called shadow IT. 

The use of shadow IT can pose a variety of threats, but perhaps the true danger is not knowing which shadow IT services are being used by any given department within an organization. Shadow IT, unvetted technology, may pose a threat, or it may not. Unfortunately, when it comes to cybersecurity, “not knowing” is a threat in itself. The bottom line is, your IT department can’t perform adequate threat analysis when shadow IT runs amok.  

Why exactly is shadow IT a problem? Employees using unauthorized services, such as Trello, can unintentionally expose sensitive data. Trello is a somewhat famous case of this, where a wide variety of sensitive information, from employee personal information to which houses have broken locks, was accidentally made public.  

Silent Push solutions

Silent Push offers several methods for the potential dangers of shadow IT.  

Using the Silent Push explore tool, it’s possible to catalog what services a company uses by looking at CNAME records. If company employees are signing up to unsanctioned services, these services will appear in the search results on the explore tool.  

It is also possible to check for specific services rather than seeing all services different departments within an organization may be using.  

Over time, different elements of your infrastructure may become vulnerable to attack, and it’s useful to have a tool that can easily identify whether or not your company or organization is susceptible.  

If your company is being targeted by hackers, it is very possible that they are searching for Shadow IT. Hackers can develop phishing campaigns specifically targeting unapproved apps that have known vulnerabilities.  

Another question your IT department should be asking is if sensitive data is being shared on Shadow IT services. Sharespace and Jira are two examples of services that may be subject to oversharing. By using Silent Push, you can be sure that employees aren’t sharing sensitive data or at least know the services where oversharing might be occurring.