Executive Missteps: Shadow (IT) Man
- Susan Sons
- Aug 5
- 3 min read
This is the second installment in an ongoing series on how business leaders, often unknowingly, sabotage their organization's cybersecurity...and how not to be that person. Each is inspired by a true story (or several). Find the first installment here.
It's a normal Wednesday morning when the SOC (Security Operations Center) manager gets a knock on her door. One of her analysts has learned that the company's mail server has appeared on major blacklists due to spam complaints. Research flagged a group account in Marketing, which has been disabled, but it's a little odd that all the logins came from different IPs across the country, while no one in that department is on PTO or travel.
The group account is owned by the Chief Marketing Officer (CMO). The SOC manager copies the CISO when she emails the CMO to follow up about the group account. The CMO has no idea what the account is for; he says he has any relevant group account assigned to him when someone in the department leaves because he doesn't want a potential client to correspond with a dead email address.
Eventually, the security team found someone in marketing who knew about an off-the-books cloud account the department was still paying for. The CMO had authorized an intern to set up a new CRM he wanted to test outside the company's usual process, to get it done faster. The intern had given the software a copy of the group account's credentials so that it could send and receive email. The software stored the credentials, unencrypted, and the whole project was forgotten after the intern left last year. A forgotten system doesn't get security updates, and soon the server was owned. Attackers used those email credentials to send thousands of spam messages before the problem was discovered.
Shadow IT is any IT asset owned by or integrated with the organization's systems that the IT and/or cybersecurity teams don't know about. It can come in the form of a secret cloud account, using a personal device for business purposes outside of policy, or putting a personal device on an internal network without an exception to policy. It may feel expedient, but doing so puts the organization at risk.
In this case, a temporary test of a marketing tool destroyed email deliverability for the entire organization. Because some organizations update their blacklist entries as little as weekly, even one day of sending spam at a serious volume can cripple an organization for several business days. If the SOC had not been monitoring blacklists, it could have gone on even longer.
Creating a Culture of Security
Executives and business leaders at every level can make the organization more secure by setting a standard that shadow IT is unacceptable for any reason, and enforcing that standard:
Policy should clearly lay out how new IT systems are approved, and how exceptions to policy are approved and recorded. It must also describe what BYOD (Bring Your Own Device) use cases are acceptable or unacceptable.
When policy or technical controls get in the way of the work, don't circumvent them, *change them*. Good IT and cybersecurity professionals believe in automation and streamlining. They want to tell you how to do something safely, not get in your way.
Put controls in place to catch shadow IT at any level. This means all the things that good CTOs and CISOs ensure are in place, but also empowering the finance department to question bills from cloud providers and hardware/software vendors.
Make doing the right thing easy. Ensure a fast guest network is available in all offices--with internet access only, no connection to internal networks--so that people can get on their phone and check what their kids are doing or get banking alerts without mixing personal devices and use cases into the company's IT infrastructure. Ensure people are well-equipped to do their jobs so there's no temptation to use a faster personal laptop or other shadow IT to get the job done.
Wrapping up
I can't say enough that cybersecurity is a leadership discipline as much as it is a technical discipline. Every leader needs to be part of making it work.