5 Shadow IT Practices That Put Technology Companies at Risk

Travelers umbrella logo.
By Travelers
3 minutes
Shadow IT practice of using a USB on a laptop.

What is Shadow IT?

Shadow IT consists of projects conducted out of compliance with official company policies and without oversight from the company’s corporate IT function.

Unlike ransomware, spear phishing and other technology threats that largely attack from outside company walls, the risks of Shadow IT often start from within. Employees who conduct technology projects on a “Shadow” basis – outside official company policies and without company IT oversight – may be putting their company’s intellectual property and sensitive data at risk.

The practice of circumventing official IT channels can leave a virtual door open to hackers and cyber thieves, who see Shadow IT as a favorite playground for launching an attack. Cloud services and personal devices can lack adequate security measures and employees with non-technical backgrounds may not know how to properly protect data.

Business leaders are often drawn to Shadow IT projects for productivity, affordability and ease-of-use, a trend that is only likely to increase as employees are able to implement new technologies with minimal engineering help. Companies need to understand the risks of Shadow IT to manage and minimize the threats that it poses.

What is shadow IT.

Here are 5 shadow IT practices that put technology companies at risk:

Practice #1: Substandard Development Techniques

Managers who engage in shadow application development may be operating with a dangerous knowledge deficit. Evaluating development of an application requires a good working knowledge of software architecture, design patterns and the latest secure programming techniques – skills few nontechnical managers possess. Not keeping up with the latest secure programming techniques could lead to security problems that result in a loss of sensitive data.

Practice #2: Over-Reliance on Shadow Cloud Provider Security

Technology managers may assume that cloud providers automatically handle all of their security needs out of the box. If the Shadow IT buyer doesn’t take the time to learn how to use cloud security features, it could leave the cloud environment vulnerable to attack. Security is a shared responsibility and cloud buyers must educate themselves and their teams on how to securely use the new infrastructure.

Practice #3: Unsecured Shadow File Storage

Employees can easily send files to their personal cloud space to work on them at home, but they may fail to take even the most basic security precautions when using these services. Hackers can defeat password protections and gain access to unencrypted personally identifiable information (PII) and protected health information (PHI). Administrators can’t monitor or audit the flow of this data, meaning that in the event of a breach, they can’t be sure which data has been compromised. In addition, the administrator can’t know if an employee’s personal account has been breached.

Shadow IT white paper interrupter.

Shining a Light on Shadow IT

Download our white paper to gain insight into Shadow IT and its unique risk factors faced by technology companies.

Practice #4: Unsecured Shadow Mobility

Bring Your Own Device (BYOD) culture can increase productivity but also introduce security risks, such as employees accessing corporate systems and data on their mobile devices with no security controls in place. Synchronizing between secured and unsecured devices (e.g., corporate laptop and personal tablet) creates another attack point for a cyber thief. Personal devices are also easy to lose, and if a corporate IT department cannot wipe a device remotely, a trained hacker can quickly capture unencrypted corporate data.

Practice #5: Use of Pre-Hacked Shadow IT Drives

Many makers of USB memory sticks, also known as “thumb drives,” do not protect the firmware, which is the embedded software that tells the device what to do when connected to a USB port. A type of weaponized thumb drive attack, known as “BadUSB” can send a sequence of commands to take control of the machine, giving it full administrator privileges. There are no known defenses for these types of USB attacks because malware-scanning software can’t access any USB firmware and its existence won’t show up on security logs.

These are just some of the practices that can put technology companies at risk of a data breach due to the use of Shadow IT. Understanding the risks – and anticipating new ones that will evolve along with technology – can help companies better protect themselves from current and emerging threats.

Person typing on computer.

Top Stories

9 Key Elements of a Data Security Policy

A data security policy helps protect your data from cyber breaches. Help keep your company's data secure by following these essential elements of a data security policy.

Related Products & Services

We understand the complexity of cyber threats and have cyber liability insurance solutions to help protect your business assets.

Travelers offers insurance products and services that keep up with the quickly changing needs of technology companies.

More Prepare & Prevent

Preparing for the Risks of 3D Printing in Manufacturing

From property damage risks to intellectual property risks, learn four key risk categories for 3D printing that technology companies should understand.

Worker examining 3D printing object.

More Prepare & Prevent

11 Steps to Help Protect Your Business from Cyber Extortion

Extortion as a result of a cyberattack is becoming more and more common for all business types and sizes. Businesses can take these 11 steps to help protect against cyber extortion.

System protected from cyber extortion.

More Prepare & Prevent

Cyber Risk Pressure Test

Cybercrime has become increasingly frequent, complex and costly. What could your company be doing to better manage the risk? Take our four-part questionnaire to find out. #HarnessRisk

Red padlock with checkmark icon set atop a grey world map.