As home and remote working have become increasingly prevalent, companies are finding themselves more at risk to cyber threats due to the proliferation of “shadow IT” among employees.

This warning follows a recent study by Kaspersky which found that 77% of companies had suffered from cyber incidents over the past two years and 11% of these were directly caused by the unauthorised use of shadow IT.

Shadow IT is characterized as company IT infrastructure operating outside the purview of the IT and Information Security departments – encompassing applications, devices, and public cloud services that are not utilised as per information security policies.

This indiscriminate use of shadow IT has led to a range of incidents, varying in severity but never insignificant, and can result in business damage or the leak of confidential data.

The Kaspersky study presented a significant finding that the IT industry was the hardest hit by this issue, with 16% of cyber incidents in 2022 and 2023 ascribed to unauthorised use of shadow IT. Other sectors impacted were critical infrastructure and transport & logistics organisations which saw 13% of incidents due to the unauthorised use of shadow IT.

The recent case of Okta illustrates the potential dangers shadow IT can present. In this year, an Okta employee using a personal Google account on a company-owned device inadvertently allowed threat actors access the company’s customer support system.

The threat actors were then able to hijack session tokens, which consequently enabled them to execute attacks. The incident lasted for 20 days and impacted 134 of Okta's customer companies.

Shadow IT use by employees tends to stem from either unauthorised applications being installed on work computers, or through unsanctioned peripherals such as mobile phones, flash drives or laptops.

More inconspicuous examples include abandoned hardware left after the modernisation or reorganisation of the IT infrastructure. If these are utilised by employees in the shadows, vulnerabilities can seep into the company’s infrastructure.

IT specialists and programmers can create tailored programs to optimize work within teams or departments, but they don’t always secure authorisation from their Information Security Department, which can result in disastrous consequences.

Additionally, personnel who use unapproved applications, devices, or cloud services often believe that as long as the IT products come from trusted providers, they are safe. However, this is not always the case due to the ‘shared responsibility model’ enforced in the providers' terms and conditions that shifts the responsibility of regular software updates and potential incidents onto the user.

"At the end of the day, business needs tools to control the shadow IT when it's used by employees. Application, Web and Device control functions that limit the use of unsolicited apps, websites and peripherals offer this control," said Alexey Vovk, Head of Information Security at Kaspersky.

The situation is worsened by the fact that many businesses do not enforce documented sanctions to deter employees from flouting the IT policies.

With projections indicating that shadow IT could become one of the top threats to corporate cybersecurity by 2025, Kaspersky recommends steps to mitigate these risks including the regular scan of internal networks, improving IT security literacy among employees, and introducing products and solutions that control the use of shadow IT.