Shadow IT: A looming security challenge
Please provide the information below to view the online Mobile Security Index Report.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.
- 2024
- Introduction
- Modern work, enabled by mobile
- IoT—everything, everywhere, all at once
- IoT use is especially high in critical infrastructure sectors
- IoT security risks: Amplified in critical infrastructure sectors
- All sectors perceive increased mobile and IoT risk
- Breach risks and impacts are high, especially in critical infrastructure
- Shadow IT: A looming security challenge
- Emerging AI cyberthreats meet new AI defenses
- The disconnect between perceived and actual mobile security
- Critical infrastructure sectors have specific considerations
- Mobile security awareness and solution investments are rising
- IoT security is also making strides
- But IoT security gaps remain
- More to do. More that can be done.
- The call to arms: Move faster
- Appendices
- Contributors
- Download the full report
Whose mobile device is that? Where did it come from? How did it get connected to our network? Is its operating system up to date? Does it meet compliance requirements? These questions are being asked by security professionals inside many organizations today. And as mobile and IoT devices continually connect to enterprise networks, many organizations face challenges in keeping track of them all.
Out of the shadows
We define shadow IT as the use of hardware or software by a department or individual without the knowledge or oversight of the organization’s IT or security team. Shadow IT adoption takes place across all sectors. With so many organizations prioritizing agility and end-user experiences and too few building universal security policies across locations and device types, there’s fertile ground in many enterprises for shadow IT to grow, creating additional security risks.
Without oversight, shadow IT devices are at high risk of misconfiguration, having out-of-date or unpatched software such as apps and operating systems, or having insecure apps downloaded from an untrustworthy source. As a result, end-users are vulnerable to phishing, malware and other attacks.
Survey respondents indicate growing concerns about the risks unmanaged devices pose.
54%
are very or quite worried about shadow IT.
87%
of respondents are at least somewhat worried about shadow IT.
BYOD risks
Companies that allowed employees to use their own devices at work peaked in 2021, in the aftermath of the COVID-19 pandemic.22 Since then, BYOD adoption has stabilized, with a majority of companies either allowing or considering allowing personal device use for work-related tasks. Securing employee-owned devices is often considerably more difficult than securing corporate devices, especially without a mobile device management (MDM) solution in place. In reality, adopting a BYOD policy means making a concession: It’s the same as saying that some shadow IT is okay. If employees are allowed to use their personal devices at work, everyone in the organization is entrusted with responsibilities that once belonged only to the IT department. Still, many organizations offer BYOD policies.
59%
of respondents allow employees to access work email from their personal phones/devices.
An additional34%
are considering doing so.
Secure connectivity
It’s not just mobile device vulnerabilities that generate risks. Insecure connectivity makes it easier to steal data or compromise the confidentiality of sensitive information. For many organizations, the pressure’s on to allow remote workers to use public Wi-Fi, home Wi-Fi and cellular networks. Even those that don’t explicitly allow these types of connectivity often struggle to prevent it in real-world scenarios.
37%
of employees in organizations that ban (or don’t have a policy on) the use of public Wi-Fi use it anyway.
45%
of employees in organizations that ban (or don’t have a policy on) the use of home Wi-Fi use it anyway.
26%
of employees in organizations that ban (or don’t have a policy on) the use of cellular networks or hotspots use them anyway.
Security tools and policy advantages
Research from Ivanti shows that today’s top employees prefer workplace policies that include flexible scheduling and hybrid work that allow them to work where and when they’re most productive.23
80%
of office-based workers highly value workplace flexibility, or find it something they can’t do without.24
41%
would consider changing jobs to gain more flexibility at work.25
79%
agree letting people work anywhere is the future of professional employment.26
To meet their employees’ rising expectations, companies provide support and solutions to enable them to work securely, regardless of their location. Organizations that have defined policies for allowing public or home Wi-Fi use or the use of cellular networks for work purposes have an edge here.
Nearly all respondents (99+%) indicate their organizations have implemented remote access security technologies. The most commonly used solutions in this category include:
Virtual private networks (VPNs)
Identity and access management (IAM) platforms
Cloud access security broker (CASB) tools
Multi-factor authentication (MFA)
In addition, more than two-thirds (66%) of respondents now apply centralized security standards across all projects involving mobile devices and more than half (58%) of IT departments have oversight across these projects.
22 Verizon, Mobile Security Index, 2022.
23 Ivanti, Everywhere Work Report, 2024.
24 Ibid.
25 Ibid.
26 Ibid.