Shadow IoT- The term “Shadow IT” is used to describe a scenario where workers buy information technology products and use them in the workplace. Shadow IT is most often associated with cloud services such as file sharing, collaboration tools and other applications where the worker has chosen a product they prefer over the company standard, or perhaps there is no corporate alternative.
Now there’s another “shadow” rising in business: Shadow IoT. It refers to the use of connected devices, often called the “internet of things” or IoT, in the workplace. In the IoT era, the world is more connected than ever. IoT transformation has resulted in device connections to grow at a rapid pace. ZK Research has forecast that by the end of 2023 there will be 80 billion connected endpoints.
That creates a number of new security risks for enterprise IT, since they don’t have the same level of control over these devices as they do traditional endpoints. Unauthorized shadow IoT devices, even those oriented to consumers such as Alexa devices, Teslas and Peloton bikes, are increasingly being deployed in the enterprise and alarming new data reveals it’s becoming a real problem.
A recent report from the computer security service Ordr Inc. found a multitude of vulnerabilities and risks stemming from connected devices. The IoT cybersecurity company compiled analysis of more than 5 million unmanaged, IoT and “internet of medical things” or IoMT devices in Ordr deployments between June 2019 and June 2020.
Rise of the Machines: Enterprise Of Things Adoption and Risk Report found 20% of enterprises with IoT deployments have payment card industry and virtual local-area network or VLAN compliance violations. Ordr identified deployments where retail IoT devices used the same subnet as tablets, printers and physical security devices. Even more shockingly, 75% of deployments have VLAN violations, and in some cases networks are sharing connections with a number of USB card readers and other devices.
The healthcare industry seems to be most afflicted by shadow IoT. When examining healthcare organizations, Ordr discovered deployments where medical devices were on the same VLAN as nonmedical IoT devices. The vast majority (95%) of healthcare deployments had Amazon Alexa and Echo devices active in their environment in conjunction with hospital surveillance equipment. Health organizations are potentially violating HIPAA privacy laws since voice assistants can eavesdrop and unknowingly record conversations.