A couple of years ago, a survey found most CIOs thought they had roughly 30 to 40 apps running within their enterprises, but researchers at Symantec estimated that the average enterprise actually had at least 1,516 applications -- a number that has doubled over a three-year period.
It's not that CIOs are naive. It's just that shadow IT is a difficult thing to measure, since employees pull down apps outside the official channels, and off budget sheets. To some degree, it's even purposely overlooked, condoned, or even encouraged, as employees need the right tools to do their jobs, and IT can't always be there.
Now, it appears CIOs are battling shadow IT on two fronts. There's the user-initiated apps and clouds, and there's something more insidious -- "shadow IoT."
User-initiated shadow IT continues unabated. It may be hard to measure shadow IT, of course, and one vendor, 1Password, recently went outside of enterprises, surveying a representative sample of 2,119 US adults who work in an office with an IT department. The survey finds 64 percent of respondents report they have created at least one account in the past 12 months that their IT department "doesn't know about." For close to one-third, 32 percent, this was one shadow account, while 52 percent report creating between two and five accounts that their IT department doesn't know about. For 16 percent, the tally exceeded five accounts.
Security is often an afterthought, with passwords shared between end-users in an informal fashion.
The use of shadow IT by business end-users has mixed benefits, since, security issues aside, they may be empowering and productivity enhancing. However, IoT may not be so forgiving -- and we're just starting to comprehend the scope of it. Research from Infoblox shows that most enterprises (78 percent) had more than 1,000 connected devices on their corporate networks in 2019. This may include laptops or tablets supplied or managed by the company. More than a quarter (28 percent) of respondents reported having 1,000 to 2,000 devices connected, while almost half (48 percent) of organizations have between 2,000 and 10,000.
About 80 percent of IT leaders reveal they have identified shadow IoT devices -- such as unauthorized wireless access points --connected to their infrastructure. At least 46 percent have discovered up to 20 shadow IoT devices on their networks over the past year, and more than a quarter (29 percent) of organizations saw more than 20. Some saw as many as 50.
IoT devices present a huge attack surface. Recently, researchers at Check Point identified smart light bulbs -- which are likely to installed en mass, with little oversight from IT managers -- as an easy point of entry for hackers.
It appears most organizations are taking the risk very seriously and as a result have put policies in place to safeguard against external threats. Eighty-nine percent at least have some type of security policy in place for personal IoT devices connected to their network. The authors of the Infoblox report also suggest understand the changing ecosystem. "Because the risk ecosystem is changing at such a rapid pace, organizations must change their security habits to match. IT managers must stop and consider the wider changing needs of the business. Rethinking the approach to network security will ensure organizations are always one step ahead of cyberthreats."