Shadow IoT: How Unmanaged Devices Put Companies at Risk
Shadow IT is one of the most persistent cybersecurity challenges today. Already, researchers estimate that 53% of departments refuse to use IT-approved tools and 80% of workers admit to using SaaS applications at work without getting approval from the IT department. Then there’s the issue of shadow Internet of Things (IoT) usage complicating matters even more. As IoT device usage has exploded, it’s become increasingly difficult to track and monitor everything that employees allow onto the corporate network.
The idea of using unsanctioned applications or devices has been around for quite some time. Business professionals often take the perspective of “better to beg forgiveness than ask for permission” when it comes to application and device usage. Unfortunately, this creates a major security challenge for even the largest of organizations.
Shadow IoT is a major business risk. IT can’t protect what it doesn’t know about, and the decision to get the job done while going around the IT team now can lead to massive reputational and financial damage down the road. Before we get into the obvious risks and issues around shadow IoT, the specific sub-branch of shadow IT we’re focusing on today, let’s put some definitions around what we’re talking about.
What Is Shadow IT?
Shadow IoT is any connected device that is unknown to corporate IT. To qualify as “shadow IoT,” the resource would have to be deployed without the IT department’s knowledge or approval. One example would be if a new IP camera arrives at a remote facility and is installed and attached to a guest network by the local team. This would not be a best practice. The centralized IT team responsible for ensuring the device is protected and up-to-date won’t even know when it is active.
It’s important to understand that shadow IoT is rarely deployed with malicious intent. Employees will reason that the IT approval process will take too long for something like a smart TV in the boardroom to show slides for a presentation. The person who brought in the shadow IoT did it with a focus on the real use that it’s needed for, not some hypothetical security risk.
Unfortunately, taking this action can increase the risk of a data breach or compliance violations in addition to opening up the possibility of other cyberattacks. While the need to get work done is understandable, the reality is that shadow IT and shadow IoT are growing security risks.
Why Is Shadow IT On The Rise?
The expansive definition of shadow IT means that there are a few different proximate causes for its rise in the organization. To start with, it’s easier than ever to sign up for a new SaaS application or cloud service. The trend toward the “consumerization of IT” in terms of B2B products has meant that non-technical teams can readily implement practically any software or device they want without the approval of the IT team.
IoT devices require little more than being turned on and connected to the open internet to start using them. Wireless thermostats, wireless printers, smart TVs, smart voice assistants and more can all be readily allowed into the corporate network without the need to consult with IT. This triggers IoT device sprawl, which complicates discovering and securing all the connected devices on the corporate network.
A perception of slow response times from central IT drives the adoption of shadow IoT and shadow IT; in recent research, 38% of people point to slow IT response times as a reason for going around traditional approval routes. IT teams often are under-resourced relative to their responsibilities.
The rise of remote work is another reason that shadow IT and shadow IoT have increased. A 2021 HP Wolf Security report revealed that 91% of IT teams were pressured to compromise security for better business continuity within remote and work-from-anywhere conditions. As the remote workforce continues to grow, the problem of shadow IT/IoT is likely to grow. Remote employees create multiple challenges in terms of maintaining the balance between security and effectiveness. They will work on less secure home networks, or in remote locations without observing basic security, and even deploy unauthorized applications that get their work done outside the regular approval workflow.
Shadow IoT does present its own risks as well. Security cameras, Smart TVs, thermostats, or access control badge readers could be turned into microphones or used to gain initial access to a network. Often, these IoT devices are deployed with default admin credentials in place making them insecure at best. At worst, shadow IoT devices create active risks from adding more possible footholds into the attack surface and making it easier for threat actors to achieve their goals.
What are the Security Risks of Shadow IT?
The security risks of shadow IoT are broad-ranging. The biggest one, of course, is the potential introduction of malware. Every new connected IoT device increases your organizational attack surface. This means everything. Whether the software asset or IoT device is known to your IT team or not, it is still part of the company’s attack surface.
Malware propagates most easily when it’s undetected. Shadow IoT by definition doesn’t have corporate defenses deployed on it. Any IoT device, such as an internet-enabled coffee maker, that’s deployed without IT’s knowledge, can allow malware to gain a foothold and then move laterally through the attack chain undetected for a substantial amount of time.
IT and security teams can’t protect what they don’t know about. With shadow IoT, that means the connected thermostat set up in a conference room or the smart refrigerator that hasn’t been properly vetted. Simply put, IoT devices deployed without IT’s knowledge or approval are less likely to have mitigations applied to ensure they don’t serve as the foothold of an attack. This makes them inherently less secure and much more likely to be the subject of a data breach or malware deployment.
The risk of a compliance violation is another major concern with shadow IoT. There are innumerable privacy and security regulations worldwide, including HIPAA, GDPR, and CCPA to name a few. Complying with those regulations involves a lot of staff time and effort, ensuring that security controls are up to date and everyone’s business activities are aligned with regulations. Shadow IoT that isn’t protected to corporate and regulatory standards presents the risk of a regulatory violation, especially if the connected device causes a data breach.
Fines for violating a regulatory standard can be severe. GDPR fines, for example, are EUR 10 million or 2% of a company’s annual turnover in the previous year. HIPAA fines top out at $2.1 million per violation, and that’s for the category of fine related to “willful neglect, not corrected within 30 days.” Shadow IoT would likely fall under that standard if personal health information is being transmitted without IT’s knowledge or approval to insecure systems outside their purview. The point of complying with security regulations is to provide guidance for the best possible defenses of important data; shadow IT/IoT circumvents that and creates the risk of a cyber incident.
Why Does Shadow IT Make Security Harder?
The shadow IoT and shadow IT problems complicate securing your company across a few different vectors:
- Vulnerability Management – Understanding which software and hardware vulnerabilities exist in your organization is a massive undertaking even on the best days. There have been more than 15,000 software and hardware weaknesses reported every year since 2018, according to the NVD, with that number only expected to increase. Shadow IT makes understanding the full scope of your exposure to these weaknesses even more difficult than it already is. Unknown assets mean that your vulnerability scanning tool won’t give you a complete answer to exposures because it doesn’t know the full scope of what to look for. You can’t remediate issues on things you don’t know about.
- Patch Management – By the same logic as vulnerability management, patching is impossible for shadow IT assets. Central IT doesn’t know about the asset, whether it’s software, hardware, an IoT device, or something else. Therefore it can’t be patched or included in a patching schedule. And unpatched assets are some of the biggest security risks in the organization.
- Configuration Management – Every device and software asset has specific configurations that can be changed to make it more secure than default settings. IoT devices are no different in this respect, in theory. With shadow IT, these changes aren’t made for the simple reason that IT doesn’t know they need to be. This means the device or software asset isn’t properly hardened against attack.
- Identity and Access Management – IoT devices with default credentials hooked into your network make it easy for threat actors to gain a beachhead into your systems. Shadow IT assets, whether IoT or not, often don’t have strong access controls implemented. Further, there could be orphaned accounts with company credentials attached. Either way, the simple truth is that identity and access management is often not well-thought-out with shadow IT and thus creates a security issue.
- Log Management – Shadow IT assets aren’t tracked anywhere, which means any security or event logs they may or may not generate aren’t centralized. This complicates event monitoring, incident response, and understanding user behaviors.
In any organization, any one of these security disciplines can create an issue even for sanctioned assets. When discussing shadow IoT, the odds are that there are multiple problems. These become the most dangerous forms of shadow IT because the overall hygiene of the deployment becomes a risk via multiple attack vectors, and not just one discipline for a solution owner to resolve.
How does Asimily Help With Shadow IT?
The Asimily platform is designed to help solve the shadow IT problem in the context of IoT devices. Asimily’s scanning solution builds an up-to-date inventory of any IoT device attached to your network, allowing you to fully understand the scale of what’s attached to your network. This solves the problem of surfacing unknown or hidden assets and bringing them potentially under the management of central IT.
Shadow IT is a persistent problem in the modern enterprise. As technology decisions get pushed to the organizational edge and central IT remains overwhelmed, shadow IT will likely continue to be a sticking point for many years to come. It doesn’t have to be unmanaged, however, as tools like Asimily can solve the problem by improving visibility into assets throughout the organization and empowering the deployment of security best practices.
To learn more about Asimily, download our Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk whitepaper or contact us today.
Reduce Vulnerabilities 10x Faster with Half the Resources
Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.