Why is shadow IT still such a dangerous security threat?

Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea, speaks about the risks of shadow IT creating hidden threats within organisations

Can you tell me about Delinea?  

Delinea is a specialist in privileged access management (PAM) and was formed through a merger between two leaders in the field, Thycotic and Centrify. We believe identity is at the heart of cyber security, and privileged access should be the biggest priority in any cyber security strategy. 

The company is built around privileged access control,  straightforward and accessible, with a  cloud-ready approach that removes the complexity from securing today’s hybrid, multi-cloud IT environments.  

What is your role and responsibilities at the company?  

As Chief Security Scientist and Advisory CISO at Delinea, I spend much of my time researching the latest cybersecurity threats and seeking to understand how we can reduce the risk they represent.  

I also help to create educational content that can be used to provide cybersecurity best practices that organisations can implement to reduce the risks from cyber threats, whether it’s the latest breed of malware, or long-term issues like shadow IT. Improving security awareness and education has long been a personal passion of mine alongside my role at Delinea.  

What is one of the best pieces of advice you have ever received? 

In a nutshell, try not to be a perfectionist. Don’t be afraid to share your knowledge and content with the world – every little bit that we share helps to make the world a safer place for everyone.  

What is shadow IT and why do employees use it?  

Shadow IT is a blanket term for any kind of system or application being used by employees that is off the radar of the IT or security teams. This can come in any form, from a personal smartphone or laptop, a messaging app, or any number of cloud-based solutions.   

Shadow IT is usually the result of employees prioritising speed over security, particularly if the organisation is somewhat slow at authorising the use of new devices or applications. Let’s say for example an employee needs to quickly get their hands on some design software to complete a time sensitive task. Rather than wait for approval from the IT department, they head over to Google Apps or any number of other application repositories, and download something themselves. This is particularly common in fields like software development, where teams are under increasing pressure from ever-shortening lifecycles.  

Shadow IT has become more prevalent in the age of remote and hybrid working. In the early days of the pandemic many workers had to take the initiative to find the tools they needed to be productive at home, and today they may simply be used to getting things done without going through the proper channels.  

What are some of the risks of shadow IT?  

Shadow IT presents a number of security issues that can quickly increase an enterprise’s risk exposure. One of the biggest issues is the possibility of giving threat actors easy access to administrative powers. For example, workers will often have administrative access to local workstations and applications, especially if personal devices are being used for work purposes without the knowledge of the IT team.  

If an attacker compromises a device with local admin rights, they can start leveraging this access to exfiltrate data and plant malware in any corporate systems the machine can access. This also provides a strong base for them to start escalating their privileges to infiltrate the wider corporate IT environment. We often find employees have credentials for privileged accounts insecurely stored on their devices.  

Data management is another critical issue stemming from shadow IT. The use of unmanaged devices and applications can quickly lead to sensitive data being stored in multiple repositories off the grid and outside of company security policies. Devices and applications may also fall outside of regulatory requirements.

This risk is heightened by the cloud. For example, a developer can quickly spin up an instance in the cloud without clearing it with the IT or security teams. Any data uploaded to the instance is now accessible online and outside of the company’s security defences as unfortunately with many cloud applications security is off by default.  

What do you see as being one of the top emerging cyber security trends this year? 

Attacks exploiting privileged system access are the biggest concern in the year ahead. Most cyber attacks focus on identity, and the ultimate goal is usually to gain control of a privileged account with a high level of admin capabilities.   

Threat actors are continually deploying new techniques to access and take advantage of privileged accounts, so this should be a top priority for security strategies this year.  

What can we expect from Delinea in 2022? 

Delinea’s mission is to make privileged access management (PAM) available for all organisations and delineate the boundaries of access. In the past it was too expensive or too complex for many firms to achieve, and we aim to change that. All organisations are vulnerable to the abuse of privileged accounts, so PAM must be accessible for everyone.  

 

Share

Featured Articles

ESG needs a rethink: Technology holds the key

Sunil Rana, Founder and CEO of Vyzrd, the AI powered analytics platform, says discourse around ESG must change for integration and to gain traction

Klick Health: keeping transformation efforts consistent

Kreshnik Mati, Vice President, Technology at Klick Health joined TECH LIVE LONDON to discuss the importance of consistency in change management

Deepak Paramanand on ethical artificial intelligence

Deepak Paramanand, Executive Director of AI Research and Product Management at JP Morgan joined TECH LIVE LONDON to discuss ethical AI

How Red Bull & Oracle are already winning with data

Data & Data Analytics

Exec Q&A: Alex Cruz-Farmer, Cisco ThousandEyes

Enterprise IT

Cloud & 5G - Day 2 highlights from the in-person stage

Cloud & Cybersecurity