It’s Time for Cybersecurity to Emerge from the Shadows (of IT)

Credit: Dutton

by Brennen Schmidt

There’s a significant threat lurking in the shadows of organizations across the globe. It continues amassing its power and control over troves of corporate data and functions, often going unnoticed—until something doesn’t work as expected or the damage has already been done.

The threat? Cyberattacks—particularly those allowed by “shadow IT.” Shadow IT is defined by Cisco Systems as “the use of IT-related hardware or software by a department or individual without the knowledge of the IT or security group” within an organization.

Examples include cloud file-sharing services, various collaboration tools, and all social media. Using all of these relatively new technologies is just seen as a way of doing business, but we should also be thinking of their possible clandestine applications.

Recent headlines show how shadow IT has hit both large and small organizations in the public and private sectors. Hacked accounts, cyber breaches and ransomware have become the norm.

Sparking interest in the ones and zeros

These headlines might just be the spark that information security and technology teams have been looking for to advance cybersecurity awareness. But communication professionals will also have to step up and protect their organizations, specifically with respect to shadow IT.

Recent examples of breaches damage customer and stakeholder confidence about the safety and security of their personal and private data. Unfortunately, a burning desire to prevent such attacks often seems to come only after the fact.

Very little meaningful information about the risks of such technologies is being shared within organizations. This is especially true when it comes to real and present risks involved with shadow IT.

Here are four threats that you need to be aware of.

Threat #1: Your domain name

Communication or marketing likely plays an active role in decision making about digital properties, including the management of domain names. After all, an organization’s domain name is a pillar of its brand identity.

But, is that same level of care and attention paid to help thwart cyber criminals and bad actors? Likely not, especially if measures aren’t in place for the centralized management of an organization’s “official” domain names, including those used for short-term ad campaigns.

This inattention can open the door to “typosquatting,” which is too often overlooked. As the name suggests, bad actors can secure variations of an organization’s domain name to cause harm. This vulnerability poses a significant threat, especially from phishing attempts.

Such attempts are akin to setting bait on a hook, in an effort to catch passwords or other private information. This is both damaging and, in far too many cases, where criminal behavior starts. The same rings true for domain hijacking, in which an organization’s domain is taken over as a result of vulnerabilities stemming from insecure account management practices with its domain registrars.

Threat #2: Publicly available brand guidelines on the web

Publishing an organization’s brand guidelines on the web—including color palette, fonts, logos, writing style, and so on—doesn’t help matters either. Providing such detailed information is an open invitation for tricksters to more easily piece together a compelling look and feel in an email when attempting to exploit user behaviors. Doing so just makes it that much easier for bad actors to more effectively execute “spear phishing” tactics, a highly targeted attack usually aimed at a specific individual with authority.

Threat #3: Distribution of corporate-branded memory sticks

Corporate-branded USB drives, or memory sticks, are too often overlooked as a threat to an organization’s bottom line. It takes very little effort for a bad actor to amass a collection of these, then load malicious code on them.

The intent is to exploit a victim’s computing device if and when they use the USB drive. The next step could include placing infected devices as a “leave behind” in public areas— or worse, offering them as a gift directly to customers. This could result in significant damage, especially if used on a user’s personal device, which may also have access to corporate data.

This risk isn’t fiction, either. Take Stuxnet, for example. In 2010, this malicious computer worm was responsible for the sabotage of centrifuges at Iran’s nuclear enrichment plant in Natanz. The Stuxnet exploit is described by Countdown to Zero Day author Kim Zetter as “the world’s first digital weapon.” Zetter’s work explores at length how a USB vulnerability “escaped the digital realm to wreak physical destruction on equipment the (plant’s) computers controlled.”

Threat #4: Your account security

Speaking of which, what happens if and when disaster strikes, and corporate technologies go down? Naturally, we’ll run to Twitter to send out a tweet or two, right? Wait. What if you can’t access your account because of a lingering prompt for a randomly generated code via text message (SMS), thanks to two-factor authentication? Getting access to that code will prove difficult if the person who is responsible for the account, and possesses said device, is away on holiday or, in the worst-case scenario, involved in a disaster themselves.

These types of scenarios have caused services, including Twitter, to explore the various complexities associated with such cases.

Engaging with ancillary team members, including IT

A potential solution in the scenarios above is the secure usage of a randomly generated recovery key. These services allow an authorized user to print a key (yes, print, as in, on paper) for safe storage and retrieval if and when needed for account recovery purposes.

To be effective, instructions for using these keys needs to be shared with ancillary team members, including IT leadership. Interestingly enough, such an approach isn’t likely new to them. After all, IT teams likely employ a similar practice for the secure storage and retrieval of highly sensitive system administration account credentials.

Communication can take the lead

So, rather than simply surviving today’s seemingly endless array of cyberattacks, why not leverage the power of collaboration to withstand them? How about bringing the real and perceived threats of cybersecurity into the light?

The good news for us is that there is likely already someone in a position to lead such an effort. This individual is capable of exercising a great deal of influence across a variety of teams. They are also often called upon by senior leadership to provide strategic communication counsel.

This leader, of course, may very likely be you: a communication professional. Your mission, should you choose to accept it, is to play an active role within your organization to facilitate the orchestration of people, process, and technology to keep key data and systems safe across the enterprise.

But, as the strategic thinker you are, you dig deeper. You help work with legal, privacy and information technology teams to share valuable insights to employees and stakeholders to help keep their data safe. You do so with the hopes that they, too, will employ that same care and attention when practicing digital safety habits.

10 key cybersecurity to-dos to complete in the next 30 days

  1. Determine who is responsible for managing your primary domain name, then check to see what security measures are in place to maintain its security.
  2. Maintain a running list of all official (and unofficial) names of digital properties under the ownership of your organization.
  3. Remove brand identity guidelines posted on the public internet. Should external users or agencies require this information, deliver it to them in a secure (encrypted) format.
  4. Complete an inventory of users, applications, and third parties that are capable of accessing digital services on your organization’s behalf. Remove or limit as appropriate.
  5. Phase out the distribution of corporate-branded hardware items, including USB devices; it’s not worth the risk to your organization’s reputation.
  6. Complete an inventory of your online services, including social media and cloud services.
  7. Reach out to team members representing IT, security, privacy and legal to engage in the conversation to help identify risks and how to mitigate them.
  8. Research the availability of account recovery processes for identified online services.
  9. Document any available account recovery process for each identified service; record on paper and store the key(s) provided in a safe place.
  10. Encourage users not to click on that phishing email offering a free coupon at a coffee shop. It’s safer to just to pay.


About the author / Brennen Schmidt is a senior consultant with Deloitte Canada. Prior to joining Deloitte, Schmidt served as a communication consultant with Saskatchewan’s public service for the greater part of a decade. His passion for technology has enabled him to work with clients and stakeholders across Canada and the U. S. to help discover how to better connect people, process, and technology. Schmidt co-authored Cyber City Safe: Emergency Planning Beyond the Maginot Line, a work that explores how we can live smarter, safer, and healthier lives. He has made media appearances in Canada both locally and nationally to speak to cybersecurity, emergency planning and crisis response.