Over the past two years, 85% of companies globally have experienced cyber incidents, with 11% attributed to the unauthorized use of shadow IT.
The figures originate from a recent study conducted by cybersecurity company Kaspersky, exposing a concerning pattern in the corporate realm.
According to Kaspersky, firms are encountering a heightened vulnerability to cyber incidents because of the escalating prevalence of shadow IT among employees within the expanding distributed workforce.
“Employees who use applications, devices, or cloud services [...] not approved by the IT department believe that if those IT products come from trusted providers, they should be protected and safe,” said Alexey Vovk, head of information security at Kaspersky.
“However, in the ‘terms and conditions’ third-party providers use the so-called ‘shared responsibility model.’ It states that, by choosing ‘I agree,’ users confirm that they will perform regular updates of this software and that they take responsibility for incidents related to the use of this software.”
The study, published today, highlighted the consequences of shadow IT usage, from the leakage of confidential data to tangible harm to businesses. Notably, the IT industry bore the brunt of these incidents, with a 16% impact in 2022 and 2023, while critical infrastructure and transport and logistics sectors experienced an impact of 13%.
The study also underscored a real-world example of the risks associated with shadow IT, citing a recent case involving Okta. This breach lasted for 20 days, impacting 134 company customers.
Read more on these events: Okta Admits All Customer Support Users Impacted By Breach
“At the end of the day, the business needs tools to control the shadow IT when it’s used by employees,” Vovk added.
“The Information Security department will of course still need to conduct regular scans of their company’s internal network to avoid the unauthorized use of uncontrolled and unsafe hardware, services and software applications.”
As organizations grapple with the challenges of shadow IT, Kaspersky recommended proactive measures to mitigate risks.
This includes cooperation between business and IT departments to understand and address new business needs, conducting regular inventories of IT assets, implementing access controls for personal employee devices and investing in training programs for both employees and IT security specialists.