Shadow IT and the Risk of Data Exfiltration
by Mark Snodgrass
Organizations have been struggling with issues related to Shadow IT for many years, with the argument being between
those seeking greater agility ("shadow IT") and those seeking to maintain corporate controls on data
usage ("Corporate IT"). Existential threats such as Ransomware and Data Exfiltration are changing the argument.
In some organizations, departmental budgets have allowed unsupervised development efforts to flourish without governance
around the use of corporate data. Implementation of new initiatives such as Data Lakes, Data Warehouses, Big Data,
API gateways, Containers, and many other initiatives under the Digital Transformation umbrella have also allowed
corporate data to be replicated from databases and unstructured data stores, with the new environment
lacking appropriate corporate controls. In many cases, these initiatives are driven by "shadow IT" without the
resources to properly manage the environment. Unfortunately, corporate IT ends up appearing "slow"
or "unresponsive" in comparison, when in fact, they are attempting to properly safeguard the data.
The nature of hacking has changed. Most recent attacks are targeted to the data, not the service. Hackers are no
longer interested in just defacing a web site, or even launching a Distributed Denial of Service (DDoS)
attack (although there are still plenty of those). The most rewarding attacks are those that deny an organization
access to its own data (as in a Ransomware attack) or steal sensitive corporate/customer data stealthily, as
in a Data Exfiltration attack.
Shadow IT deployments are often the target of hackers in a data exfiltration attack. Shadow IT are juicy targets as
they have immature processes and technologies, and so are easy prey to sophisticated hacking attacks. In a data
exfiltration attack, unless you look for them, you will have no idea the hackers have access to your data, and they
attempt to remain hidden so that further data exfiltration is possible down the road. Shadow IT rarely have the
resources, or even inclination, to address these challenges.
Corporate management/boards must treat sensitive data protection as a real issue and realize that data exfiltration
is an existential threat to their organization. Organizations are suffering irreparable harm from data exfiltration,
with losses exceeding the direct financial impact of controlling and recovering from the attack. In
consumer–facing organizations, the loss of reputation can be immeasurable. United Airlines, International Hotels
Group, Target and Yahoo, are all recent attack victims, are still counting the cost of losing customer confidence.
Corporate IT must strengthen their resolve to address the challenges of Shadow IT, or at least manage the risks
they introduce to the rest of the corporate environment. They must make sure new initiatives follow minimum
client data protection standards, or are denied access to that data. Newer protection technologies may be able to
help organizations manage those risks through better Data Loss Prevention (DLP), real–time detection of attacks
in progress through Behavioral Analysis and Artificial Intelligence (AI) techniques, protection against Advanced
Persistent Threats (APT), and malware detection with real–time updates. In addition to newer technologies though,
good management practices are required. Operating Systems, Java versions, Adobe Flash, Microsoft Office and all the
other regular culprits must be patched vigilantly. Organizations must work under the assumption that there is a
real risk caused by a lack of patching, and that it is probably better to break a single application than
risk the entire organization to a data exfiltration attack.
Hararei can help your organization address these risks with better technologies and processes. For a free and confidential
discussion, please contact us.