In the ever-evolving landscape of cybersecurity, enterprises face a myriad of threats that can compromise their infrastructure and data integrity. Among these, shadow IT and obsolete software stand out as significant menaces. A recent study has revealed that 6% of IT assets have reached the end-of-life (EOL) stage, and almost one-third are improperly managed, leaving enterprises exposed to known-but-unpatched vulnerabilities. This article delves into the implications of these findings and explores how organizations can mitigate these risks.
The Growing Menace of Shadow IT
Shadow IT refers to the use of information technology systems, devices, software, applications, and services without explicit IT department approval. While it can drive innovation and efficiency, it often bypasses security protocols, leading to vulnerabilities. Rik Ferguson, VP of security intelligence at Forescout, highlights the exponential growth of non-standard, unmanaged devices exposed to the internet. These devices, configured by non-security-minded users, are less secure and visible than traditional IT assets, making them uniquely vulnerable.
The risks of shadow IT are not just theoretical. In 2023, a threat actor attempted to sell access to Zscaler, a large cloud security company. The breach was traced back to a test server not hosted on the company’s core infrastructure, illustrating the dangers of shadow IT. Similarly, the 2023 Okta attack, which involved unauthorized IT systems, saw corporate credentials saved to a personal Google account before a work laptop was infected by malware. This incident underscores how shadow IT can lead to unauthorized access and potential data breaches.
The Risks of Obsolete Software
Software that has reached its end of life poses significant risks by increasing the attack surface and making organizations more vulnerable to exploits. For instance, the outdated version of JavaScript contributed to a high-profile breach against British Airways in 2018. The infamous WannaCry malware in 2017 exploited vulnerabilities in outdated Windows XP systems in UK hospitals and other critical infrastructure.
IT assets that vendors deem EOL no longer benefit from regular updates or security patches. Although some vendors offer extended support for a fee, this is often prohibitively expensive. For example, the base price for three years of extended security updates for a single Windows 10 PC will be $427 after it reaches end of life in October 2025. While enterprises may secure better pricing, cash-strapped organizations might gamble by continuing to use outdated software.
Ilia Kolochenko, CEO at ImmuniWeb, notes that the problems of shadow IT and outdated software are deeply intertwined. An unpatched instance of Apache Struts enabled the great Equifax data heist of 2017, illustrating how vulnerable outdated software can be. Organizations often fail to keep even officially sanctioned IT systems up to date due to inadequate patch management, compounding the risks posed by shadow IT.
Mitigating the Risks
To combat the risks of shadow IT, organizations should maintain and continually update a comprehensive inventory of all systems, software, users, accounts, data, and third parties with access to corporate data. Regular audits and risk assessments are critical to identifying and addressing vulnerabilities.
Experts agree that tight configuration management is essential. This involves tracking software bill-of-materials, conducting regular external asset mapping exercises, and limiting what can be installed on the network. Tim West, Director of Threat Intelligence at WithSecure, emphasizes the importance of understanding the attack surface and conducting regular external asset mapping exercises.
The human element behind shadow IT cannot be ignored. Training staff and ensuring existing processes work for their needs is crucial. Security awareness training can help employees recognize the risks of using unauthorized systems and the importance of adhering to security protocols. Javvad Malik, lead security awareness advocate at KnowBe4, stresses the importance of security awareness training in mitigating risks associated with out-of-date software.
Organizations should leverage advanced security solutions to monitor and protect their IT assets. Endpoint protection and patch management are critical controls that should be in place for all IT assets. The Sevco study found that 28% of IT assets are missing at least one critical control, highlighting the need for comprehensive security solutions.
Implementing robust IT governance policies is essential for managing shadow IT and outdated software. These policies should outline the approval process for new technologies and software, ensuring that all IT assets are sanctioned and managed by the IT department. Regular policy reviews and updates can help keep pace with technological advancements and emerging threats.
A mid-sized financial firm faced significant risks due to shadow IT and outdated software. The company implemented a comprehensive IT governance framework, including regular audits and risk assessments. They invested in advanced security solutions for endpoint protection and patch management, significantly reducing their exposure to vulnerabilities. Additionally, they conducted regular security awareness training for employees, helping them understand the importance of adhering to security protocols. As a result, the firm experienced a 40% reduction in security incidents within the first year.
Conclusion
Shadow IT and obsolete software represent significant threats to enterprise infrastructure. The findings from the Sevco study underscore the urgency for organizations to address these risks proactively. By implementing comprehensive inventory management, tight configuration controls, regular audits, and security awareness training, organizations can mitigate the risks associated with shadow IT and outdated software. As the threat landscape continues to evolve, staying vigilant and proactive is essential for safeguarding enterprise infrastructure and data integrity.
By taking these steps, organizations can better protect themselves from the growing menace of shadow IT and obsolete software, ensuring a more secure and resilient IT environment.