Blog Post

COVID-19 Security Impact: Rise of Shadow IT

Amid the COVID-19 pandemic, data flow into and out of organizations has changed drastically. With more employees working remotely, using VPNs, jump boxes and proxies, security teams have more to be concerned about. At Awake, we see this first hand, with an uptick in the use of both authorized and sometimes unauthorized tools (shadow IT) to get work done. Needless to say, these unauthorized tools increase the organization’s attack surface and risk. As a case study, we take a look at a few shadow IT applications and how these systems have been accessed both pre- and post-COVID-19.

What is Shadow IT?

Shadow IT includes infrastructure, tools and technologies outside the control of the organization’s IT team. This could be employees using their personal accounts, personal hardware, SaaS services or applications for corporate communication and data sharing both inside and outside the corporate network perimeters.

This could happen for a variety of reasons, including:

  • An employee has set up a personal file sync application on their work laptop to perhaps share photos but work data is also automatically synced to this personal third party service.
  • Employees use unauthorized remote access applications while working from home as their official VPN connection is slow / cumbersome.
  • A team deploys a new technology or application as proof of concept without IT approval.

Risks of Shadow IT

IT infrastructure teams struggle with visibility into shadow IT systems and applications and are thus unable to identify threats to and from these systems, detect loss of sensitive data, protect them from unpatched vulnerabilities and insecure access controls, etc. This poses a risk not just to the shadow IT application, but to the entire network and the organization as a whole. By the very definition, shadow IT systems are also often in violation of corporate cybersecurity policies.

Moreover, if an employee using these unauthorized devices and applications leaves the organization, the company’s standard offboarding procedures like disabling accounts, removing data from devices, etc. might not capture everything.

COVID-19 and Shadow IT

To understand how COVID-19 has impacted the shadow IT problem, we analysed traffic patterns for specific categories of applications in our customer environments. These applications are often the usual suspects when it comes to shadow IT, and we wanted to test our hypotheses on how COVID-19 has likely increased usage of these systems.

Data Leakage via Unauthorized File Sharing Services

Cloud based file-sharing applications can lead to the spread of corporate data across multiple services that may not have contractual relationships with the organization or for that matter even acceptable security and privacy policies. Moreover, there are numerous anecdotes of misconfigured cloud data repositories that left corporate information exposed to the world.

We compared the usage of cloud based file sharing services between January and March 2020 across the Awake customer base. As more organizations moved to a work from home model for their employees, we expectedly observed a surge in the number of devices using these services–an approximately 65% increase. Interestingly, however, we found employees using 5 or more file-sharing services, even though as you might suspect only 1 or 2 of these are approved by the corporate IT department. In fact, on average, over 40% of the file-sharing traffic was headed to unapproved services, adding risk to the organization.

Figure 1: Traffic increase to file-sharing services. Jan/Mar Comparison

Use of Unauthorized Remote Access Tools

Remote access tools (RATs) are often legitimate software used to remotely control one computer from another one. While they can be used for legitimate purposes including by the IT department themselves, these applications are often used for unauthorized remote access to corporate devices. In fact, these applications are often designed to bypass traditional network security controls, finding innovative ways to avoid being blocked. These systems pose risk to the organization since they are often directly accessible from the Internet and only have weak authentication controls. Once compromised, they present an attacker with a beachhead from which to launch further stages of the kill chain such as lateral movement to the organization’s digital crown jewels, etc.

As the COVID-19 shelter-in-place/work-from-home has taken effect, Awake has noticed a sharp rise in remote access tools such as TeamViewer, Microsoft Remote Desktop Protocol, LogMeIn, etc.

Across our customers, we identified the top remote access tools and compared their usage in March 2020 vs. January 2020.

Figure 2: Various remote access tools used in a single environment.

As seen above, the usage of TeamViewer has almost doubled from January to March. Similar trends were seen for other remote-management applications. In fact, Awake has uncovered multiple “new” RATs such as Splashtop and GoToMyPc that were not in use at all back in January and are now in fairly widespread use. Overall the usage of remote access tools increased by 75% from January to March and we can attribute much of that increase to the changes to work routines caused by COVID-19.


The rise of shadow IT increases the chances of data exfiltration, non-compliance with laws and regulations and overall increased risk for the organization. COVID-19 makes this impact even worse given the number of employees (including the security team itself) working remotely.

To mitigate these risks, security teams must first have visibility to these shadow IT assets and then be able to detect threats, investigate them and respond effectively. Legacy network security tools such as IDS and firewalls, etc. simply do not help in tackling these issues and increasingly security teams rely on the deep-inspection and analytics Network Traffic Analysis (NTA) tools like Awake offer.

While many IT organizations are already struggling with supporting the new remote-work culture, CISOs and CIOs must be cognizant about unauthorized systems and applications so that the risk can be mitigated by turning off the violating applications, patching them as appropriate and / or deleting any, sensitive data stored on those systems.



If you liked what you just read, subscribe to hear about our threat research and security analysis.

Aakash Jain
Aakash Jain

Senior Automation Engineer