HIDDEN THREATS

Matt Walmsley remembers well a meeting he was once in with the chief information security officer of a major company with thousands of employees.

The CISO, says Walmsley, who is head of EMEA marketing for the cybersecurity company Vectra, thought that there were seven to 10 logins for Office 365 in the company. In fact, there were 78.

“He was completely blindsided,” says Walmsley, adding that such lack of awareness of the IT assets in a company is “not unusual”.

This is the world of shadow IT, of applications and networks built up alongside the official assets of a company that are overseen by the main IT department and cybersecurity staff.

Departments sometimes want to buy their own IT assets or services in order to cut through bureaucracy and save time. But shortcuts may bring risks.

As Marco Rottigni, chief technical security officer EMEA at Qualys puts it, shadow IT can be “unknown, unmanaged, unprotected and potentially risky”.

“The teams that do the administration don’t have the skills, competence and knowledge to provide the security to mitigate these risks,” he says.

“This is why the security department exists, the compliance department exists.”

So, what are the security risks linked to shadow IT? Adam Palmer, the chief cybersecurity strategist at the cybersecurity company Tenable, says that lack of visibility is a key issue.

“Security teams often struggle to identify all assets connected to the corporate network. You can’t protect new devices if no one knows they are on the network. These assets may be insecure or obsolete,” he says.

The IT department’s various firewalls and other security devices may not be protecting shadow IT assets, and there is no guarantee that software updates and the like are regularly being installed.