Shadow IoT signifies the active use of IoT devices and sensors in an organization without the IT department's knowledge of it. All unregistered IoT devices are considered to be shadow IoT.

The easiest way to understand shadow IoT is to compare it to the early days when it was normal for employees to use their personal devices for work purposes. Shadow IoT is the same as that, just on a much bigger scale and with a lot more risks and potential problems.

The problem today lies in the fact that there is an ever-increasing number of IoT devices in the offices of most companies. The higher the number of these devices, the more of them people use irresponsibly, which means more risks are created.

Shadow IoT is much more widespread than people believe – 1/3 of companies have around 1,000 unregistered, shadow IoT devices connected to the organization’s internal network every workday. That includes devices like digital assistants, smart TVs, fitness trackers, gaming consoles, smart appliances, and more.

But besides the risks that come with the sheer number of these devices, the bigger problem is that people rarely try to keep them secure. And what's worse, according to Microsoft, many state-sponsored hackers are already weaponizing shadow IoT devices.

Only risks and problems arise from shadow IoT devices. They take up the company’s bandwidth and introduce additional points of entry to the company’s network. They are not checked nor sanctioned by the IT department, and thus, they pose potential risks to corporate information on the network. Through relatively simple hacks, like DNS tunneling, cybercriminals can easily steal critical company data.

It’s even simple to find these devices on the network. Available search engines like Shodan make it possible for hackers to quickly find unsecured IoT devices that run HTTP, SSSH, SNMP, or FTP.

The irony here is that companies do not benefit from these devices at all. Simple carelessness and a lack of attention to shadow IoT and its risks is the only thing that arises from the use of shadow IoT devices. People don't even know that having unregistered IoT devices is a problem, which makes written policies about it almost entirely useless.

It’s not enough to have written policies about the need to register devices with the IT department. Yes, you need to have rules in place that explain how employees should use Internet-capable devices, but that’s not enough:

• Identify all IoT devices that are not properly secured or create a separate network for them that's not connected in any way to the primary network where all crucial company information is stored.

• Raising awareness is crucial – employees need to be aware of the dangers of shadow IoT because a large portion of the workforce is blind to the problem.

• The Internet-capable products your company and its employees use need to be checked to assess their safety level. More drastically, your organization can also perform security audits with the suppliers of these devices.

• Have a detailed plan for what your organization should do if breach scenarios occur.

Shadow IoT is one of the problems that large organisations face on a day to day base with or without being aware of. In both case, action plans should be implemented in term of security in order to mitigate the risks related to this latter. Some of the necessary actions are mentioned in this article and others should be defined according to the governance and the specific environment of each company based on a global risk-based approach.

Foolproof solutions don’t exist, but security assurance frameworks do, and they allow you to target and deal with Shadow IoT security issues with full knowledge of related risks.

Finally, we strongly recommend you to get in touch with specialized experts in order to help you covering the risks that your organization is facing at this moment!