In today’s rapidly evolving digital landscape, many organizations are grappling with an increasing number of unmanaged, unauthorized digital tools, services, and cloud infrastructure, a phenomenon known as Shadow IT.
This trend emerges when individual departments or teams within a company procure and implement their own technology solutions without involving the IT or security teams. While Shadow IT can deliver immediate functional benefits to business units, it creates critical blind spots that amplify security risks across the entire organization.
For example, a marketing department might onboard a new social media tool, or an HR team could adopt a recruitment platform. These systems are often set up to meet immediate needs, but if IT isn’t aware of them, they remain outside the company’s security protocols, making them valuable targets for cyberattacks.
The proliferation of Shadow IT introduces complexities that compound other organizational issues, making it a central, often overlooked factor in a company’s overall security posture.
Acquisitions, Mergers, and the Inherited Shadow IT Burden
When companies merge or acquire other businesses, they face significant challenges in integrating disparate systems and technologies and all of the problems that they face, sometimes called tech debt.
But beyond the expected complexities of unifying technology stacks, businesses inherit a whole new layer of unseen risks: the Shadow IT of the acquired company. As IT teams attempt to merge infrastructure, they may be unaware of unsanctioned or forgotten servers, applications, and tools spun up by the previous company’s departments. Each unaccounted-for asset becomes a hidden risk that compounds the challenges of post-acquisition integration.
Acquisitions typically involve companies with varying levels of security maturity. A breach could easily originate from a neglected, unmonitored asset acquired during a merger. We’ve seen this play out in practice too.
The Change Healthcare breach that hurt UnitedHealth Group was due to this exact problem: a web portal that was in the process of integration into UnitedHealth systems but didn’t comply with their policy requiring multi-factor authentication (MFA), according to the UnitedHealth CEO’s testimony before Congress.
Without visibility into an acquired company’s Shadow IT landscape, IT teams will of course struggle to fully secure their environments. It’s like trying to lock a door that you don’t know exists.
The Growing Complexity of Cloud Management
The shift to cloud infrastructure has revolutionized how companies operate, allowing rapid scalability and flexibility. But with this transformation comes a new layer of complexity.
Shadow IT often accelerates cloud adoption, as teams spin up cloud servers or deploy services on their own, without adhering to centralized governance. These unsanctioned cloud environments can lead to serious security risks, as there is no guarantee they are properly configured, monitored, or kept updated.
When business units use multiple cloud platforms like AWS, Microsoft Azure, or Google Cloud, it becomes increasingly easy to lose track of the company’s digital assets. This chaotic, decentralized cloud environment only deepens the Shadow IT problem, as old cloud instances might be forgotten, misconfigured, or left vulnerable—creating security gaps that IT teams cannot address if they are unaware of their existence.
The Rise of SaaS and the Expanding Shadow IT Ecosystem
Software as a Service (SaaS) tools are invaluable to modern businesses, but they further complicate the issue of asset management, especially when Shadow IT comes into play.
Many departments independently adopt SaaS tools, often without notifying IT. While these tools enable teams to work more efficiently, they also create a sprawling, hard-to-manage ecosystem of applications, accounts, and data access points that IT teams may not know exist. The breach of several Snowflake customer accounts in July was due in part to unencrypted usernames and passwords stored in Jira, a project management tool, as none of the breached companies, including Advance Auto Parts, Ticketmaster, and Santander, had MFA enabled.
When employees leave a company or switch roles, their access to these SaaS applications can persist if not properly deprecated, creating security risks. Moreover, when companies acquire others, they also acquire the entire SaaS portfolio of the acquired business—including its Shadow IT.
Any dormant or unsecured SaaS tools used by the previous company may create unseen vulnerabilities for the acquirer, adding to the weight of the problem.
Domain and Subdomain Proliferation: A Shadow IT Problem in Disguise
The proliferation of domains and subdomains in an organization often stems from decentralized decision-making and the massive amount of oversight needed to keep up. IT teams have to keep up with the marketing teams launching new domains for campaigns or individual products alongside other departments creating subdomains for regional offices or product types. Over time, these digital assets accumulate and, without a formal process to decommission them, turn into “orphaned” assets—forgotten but still accessible online.
Shadow IT fuels this proliferation, as these domains and subdomains are often created without IT’s approval or tracking. If left unmonitored, orphaned domains and subdomains become ripe for exploitation by cybercriminals. Attackers can hijack these abandoned assets to launch phishing attacks, distribute malware, or impersonate the company’s brand.
The Evolving Attack Surface: Amplified by Shadow IT
The modern attack surface has expanded far beyond traditional IT environments, now encompassing APIs, IoT devices, and third-party vendors.
Shadow IT plays a critical role in amplifying this complexity. For instance, an API created for a specific project by a team operating outside IT’s supervision might be poorly documented, misconfigured, or completely forgotten—leaving it vulnerable to attack. Third-party vendors often introduce additional risks, as their own Shadow IT practices—such as unmonitored cloud instances or unsecured APIs—can inadvertently expose your organization to vulnerabilities, making it critical to assess their security posture regularly.
For instance, for the past decade, CocoaPods, a repository for individual code packages used in many mobile apps, had a flaw enabling attackers to claim packages and use them to execute code in dependent apps on potentially billions of devices. This kind of attack depends on the passage of time to enable ubiquity before striking. As organizations grow and evolve, these Shadow IT components often persist, adding layers of unmanaged risk to an already expanding attack surface.
Similarly, IoT devices deployed independently by departments may not receive necessary security updates, leaving them open to attack. When these devices are orphaned, much like legacy cloud instances or SaaS applications, they become ticking time bombs that could compromise an entire network.
The Power of Continuous, Complete Discovery
While automated tools provide a significant advantage in uncovering Shadow IT, true protection against expanding attack surfaces requires continuous, complete discovery—a holistic approach that ensures no asset is left unnoticed. SixMap, the company that pioneered computational mapping to non-intrusively identify everything you own on the Internet, goes beyond automated scans by pairing extended attack surface management with the critical value of human review. Automated tools can identify patterns and anomalies, but only human expertise can holistically understand a company’s unique environment, understanding and safeguarding the complexities that other tools overlook.
SixMap enables organizations to see themselves from an attacker’s point of view, identifying every potential vulnerability and orphaned asset across domains, cloud infrastructure, APIs, and IoT. By understanding the ways in which attackers search for weaknesses, companies can proactively manage Shadow IT and secure their digital landscape.
How to Regain Control: Addressing the Shadow IT Challenge
While the rise of Shadow IT exacerbates many of the challenges faced by organizations, it’s not an insurmountable problem. Companies can take proactive steps to regain control of their digital footprint:
Leverage Tools for Continuous Discovery
Employ solutions like SixMap that continuously scan the internet for your company’s assets, including websites, cloud servers, and SaaS applications, and combine automated discovery with human oversight for a complete view of your attack surface.
See Your Assets from an Attacker’s Point of View
Stay ahead of cybercriminals by understanding how they exploit unpatched vulnerabilities.
Solutions that mirror an attacker’s perspective help you identify exploitable assets before they become targets.
Ensure You are Holistically Covered, from Your Assets to Your Public Image
A company is more than just its tangible assets—it’s also its brand and reputation.
SixMap ensures that your attack surface management encompasses all potential risk vectors, from internal systems to brand integrity.
With the integration of SixMap’s extended attack surface management and a focus on continuous, holistic discovery, companies can better manage their Shadow IT, reduce risks, and protect their digital ecosystems from the evolving threat landscape.
