Shadow IT, Hidden Risk, and the insights that drive action to reduce exposure

The annual doctor wellness check always interests me. It’s generally the same routine every year: The doctor and I exchange pleasantries. She asks about any noticeable health changes while looking in my ears with that cool little penlight. If I’m lucky, she uses the mini-hammer to see how high my leg kicks after a gentle knee tap (I just love that for some reason).

But it’s all a bit of a show, isn’t it? I mean, the stethoscope ‘looks’ very professional, but we both know that the real analysis is done in the lab work. The real examination is in the scans and inspection of what’s happening beneath the surface. That’s where the data is. That’s where we see the trends. That’s where we find the insights.

And from insights, we can take action.

Good data leads to good insights

One of the common discussions we have with organizations that are maturing their vendor risk management program is the enormity of the task at-hand. Staying on top of the expanding world of third parties is daunting. And it gets harder every day as companies create even more relationships to share data. Sometimes those relationships are known. Sometimes … not so much.

The teams responsible for corralling this sprawling ecosystem usually start with a spreadsheet. Columns for vendor name, business owner, and a date field for ‘last updated’ that seems to get worn-out after one or two edits.

When our Bitsight team offers to run our own vendor discovery for their organization, they are generally pretty amiable to it. Why not see what intelligence they can glean from data on over 40 million organizations worldwide!?

When we provide their custom Vendor Report, the reaction is always entertaining uncomfortable interesting:

• “NetKloud?!? I thought we terminated that contract years ago?”
   
• “AWS? But we’re an Azure shop. Who authorized that?”
   
• “What the heck is Lead2Opp? Remind me to call marketing when we get back.”

The Vendor Report displays known and suspected third and fourth party ‘relationships’ for the organization. To put it mildly, our data is good. So we often have more insights into third parties than the spreadsheet. We even see the unknown relationships (dubbed ‘ShadowIT’ by some aspiring marketer).

Keep in mind that not all of these vendors have ‘signed contracts’ or passed ‘vendor on-boarding programs’ or have any sense of ‘security hygiene.’ So seeing these unknown third parties for the first time can be alarming. And then discovering, for example, that 15% of them have a known exploited vulnerability or that 22% are at a 5x likelihood of ransomware attack can be a downright cause for concern.

Good insight leads to effective action

But the teams will all tell you that knowing is so much better than not knowing. Uncovering the hidden risk that lurks beneath the organization is scary, but SO important. Because those insights can now drive action. And this is the essence of our mission: enabling leaders to take action to reduce exposure and mitigate risk.

I could not be more proud of what our team has built over the years. What we continue to build. This latest release, Auto Vendor Discovery, is the next piece in a series of incredible development to empower risk leaders. At the click of a button, we help security and risk teams automatically discover vendors, uncover potential ShadowIT, and see the connectivity originating from ‘inside’ the company.

It’s not about providing data, it’s about visibility. It’s about insights that drive actions. And actions that reduce risk is just what the doctor ordered.

If you are just getting started with your third party risk management solution, give us a shout, we’d love to share our prescription for a healthy program.

For more insights into managing hidden risks, download our guide titled “What’s Lurking in Your Environment? How Cyber Leaders Can Address Shadow IT & Hidden Risk”. It will arm you with policy and strategy suggestions to protect your expanding digital footprint and infrastructure.