How Shadow IT Concocts Cybersecurity Nightmares

Practically every enterprise worker is using all kinds of unsanctioned apps, AI programs, and browser extensions. 

A recent report from LayerX Security found that 99% of enterprise employees have at least one browser extension installed on their workstations, which can pose significant security and privacy risks. More than half of these extensions have access to highly critical resources, such as company passwords, sensitive files, browser data, and more. 

In this wild west of unchecked apps, generative AI extensions are a threat on steroids. LayerX said shadow AI can access a company’s sensitive data at twice the rate that other extensions can. 

“Organizations have zero visibility into 89% of AI usage,” Or Eshed, CEO and co-founder at LayerX Security, told CIO Upside. 

About two out of every 10 workers simply paste data into generative AI tools, and half of that data is company information. Some of these AI extensions are “malicious,” Eshed said, or coded to steal corporate data, spy, or launch cyberattacks.

It’s common for companies that pay for ChatGPT or Microsoft Copilot to find out that they have hundreds of workers using the free version of these apps to bypass “corporate control”, said Rick Caccia, CEO of Witness.ai, a company working to mitigate  shadow AI usage. 

When data goes into unapproved apps, CIOs lose any kind of visibility. From there, the data can end up just about anywhere – such as hacker forums on the dark web or in the hands of data brokers. 

“The data may (also) be sold or used to train other AIs,” Caccia said. 

With foreign and domestic corporate espionage costing American companies billions of dollars every year, companies running research and development departments can no longer just rely on contracts and patents to protect their intellectual property, Matthew Stern, CEO of CNC Intelligence, a cyber and crypto Intelligence Group, told CIO Upside. 

There are some fundamental measures that can be taken to limit shadow IT, including network isolation, two-factor authentication, encryption, and attack simulations. Stern listed three cost-effective steps for reigning it in:  

• Get visibility. figure out what software, extensions, and apps your employees are using, and don’t assume you already know. 
• Educate your team. Explain what’s allowed, what’s not, and why it matters in plain language, avoiding tech jargon. 
• Use your existing tools — or upgrade them  if needed — to block or limit risky apps and set up alerts for suspicious activity. 

Managing shadow IT isn’t too costly, fortunately, especially since it’s vital to avoiding digital disasters like ransomware, spyware and IP theft.