Shadow IT and the Risk of Data Exfiltration

Mark Snodgrassby Mark Snodgrass

Organizations have been struggling with issues related to Shadow IT for many years, with the argument being between those seeking greater agility ("shadow IT") and those seeking to maintain corporate controls on data usage ("Corporate IT"). Existential threats such as Ransomware and Data Exfiltration are changing the argument.

In some organizations, departmental budgets have allowed unsupervised development efforts to flourish without governance around the use of corporate data. Implementation of new initiatives such as Data Lakes, Data Warehouses, Big Data, API gateways, Containers, and many other initiatives under the Digital Transformation umbrella have also allowed corporate data to be replicated from databases and unstructured data stores, with the new environment lacking appropriate corporate controls. In many cases, these initiatives are driven by "shadow IT" without the resources to properly manage the environment. Unfortunately, corporate IT ends up appearing "slow" or "unresponsive" in comparison, when in fact, they are attempting to properly safeguard the data.

The nature of hacking has changed. Most recent attacks are targeted to the data, not the service. Hackers are no longer interested in just defacing a web site, or even launching a Distributed Denial of Service (DDoS) attack (although there are still plenty of those). The most rewarding attacks are those that deny an organization access to its own data (as in a Ransomware attack) or steal sensitive corporate/customer data stealthily, as in a Data Exfiltration attack.

Shadow IT deployments are often the target of hackers in a data exfiltration attack. Shadow IT are juicy targets as they have immature processes and technologies, and so are easy prey to sophisticated hacking attacks. In a data exfiltration attack, unless you look for them, you will have no idea the hackers have access to your data, and they attempt to remain hidden so that further data exfiltration is possible down the road. Shadow IT rarely have the resources, or even inclination, to address these challenges.

Corporate management/boards must treat sensitive data protection as a real issue and realize that data exfiltration is an existential threat to their organization. Organizations are suffering irreparable harm from data exfiltration, with losses exceeding the direct financial impact of controlling and recovering from the attack. In consumer–facing organizations, the loss of reputation can be immeasurable. United Airlines, International Hotels Group, Target and Yahoo, are all recent attack victims, are still counting the cost of losing customer confidence.

Corporate IT must strengthen their resolve to address the challenges of Shadow IT, or at least manage the risks they introduce to the rest of the corporate environment. They must make sure new initiatives follow minimum client data protection standards, or are denied access to that data. Newer protection technologies may be able to help organizations manage those risks through better Data Loss Prevention (DLP), real–time detection of attacks in progress through Behavioral Analysis and Artificial Intelligence (AI) techniques, protection against Advanced Persistent Threats (APT), and malware detection with real–time updates. In addition to newer technologies though, good management practices are required. Operating Systems, Java versions, Adobe Flash, Microsoft Office and all the other regular culprits must be patched vigilantly. Organizations must work under the assumption that there is a real risk caused by a lack of patching, and that it is probably better to break a single application than risk the entire organization to a data exfiltration attack.

Hararei can help your organization address these risks with better technologies and processes. For a free and confidential discussion, please contact us.

 Original Article     Hararei Blog