The problem with shadow IT isn’t really the need for new tools, it’s the fact that people use them without IT security teams knowing. This usually happens because they perceive security policies as restrictive and antagonistic toward their productivity. In this way, Shadow IT is a process issue—not a software issue. Hidden risk is increasingly challenging cybersecurity leaders as digital supply chains grow and more apps are added to the network.

While security ratings are a great way to demonstrate that you’re paying attention to the standard cyber health of the organization, you also need to show that you’re adhering to industry and regulatory best practices for IT security and making informed decisions for the long-term. A cybersecurity framework can help.

The recent SEC breach disclosure rules place enormous pressure on CISOs. The new SEC disclosure requirements for public companies require companies to report annually on their cybersecurity risk management and governance efforts and publicly announce cybersecurity incidents that prove "material." Determining materiality may be one of organizations' most prominent challenges with the new rules. What exactly is a material cybersecurity incident?

One study found that 65% of SaaS applications in use are unsanctioned. And 59% of IT professionals find SaaS sprawl challenging to manage. In other words, shadow IT risks are growing—but that’s just the tip of the iceberg when it comes to hidden risks across today’s expanding attack surface. Missed software patches, outdated certificates, and stealth malware are some examples. Many security teams still struggle to keep their networks safe from ever-growing digital supply chains.

The annual doctor wellness check always interests me. It’s generally the same routine every year: The doctor and I exchange pleasantries. She asks about any noticeable health changes while looking in my ears with that cool little penlight. If I’m lucky, she uses the mini-hammer to see how high my leg kicks after a gentle knee tap (I just love that for some reason). But it’s all a bit of a show, isn’t it?

The annual doctor wellness check always interests me. It’s generally the same routine every year: The doctor and I exchange pleasantries. She asks about any noticeable health changes while looking in my ears with that cool little penlight. If I’m lucky, she uses the mini-hammer to see how high my leg kicks after a gentle knee tap (I just love that for some reason). But it’s all a bit of a show, isn’t it?

As organizations increasingly rely on external vendors and enterprise buying patterns continue to decentralize, the challenge of managing risk associated with third parties becomes critical. Unfortunately, even uncovering vendor relationships within an organization can be a struggle, with over 80% of workers admitting to using non-approved SaaS applications. This ‘Shadow IT’ is not only frustrating; it introduces tremendous risk.

AgentTesla is a Windows malware written in.NET, designed to steal sensitive information from the victim's system. It’s considered commodity malware given its accessibility and relatively low cost. Commodity malware poses a significant threat as it enables less sophisticated cybercriminals to conduct various types of cyberattacks without requiring extensive technical knowledge. AgentTesla has been a persistent and widespread threat since its emergence in 2014.

As third party outsourcing and cloud services become commonplace for enterprise organizations, security leaders need to understand and assess the cybersecurity risks of businesses that they partner with for “technology infrastructure services.” Security leaders want accurate, up-to-date information about their infrastructure provider’s security policies, procedures, and program performance so they can better understand risks to their own organizations.

When it comes to cybersecurity governance, 2023 stood out as one of the most eventful in a very long time. With everything from the enactment of stronger new cybersecurity regulations around incident disclosure from the Securities and Exchange Commission (SEC) to significant changes afoot for financial and cloud services providers operating within the European Union, many companies worldwide will be called to adjust to a new normal in 2024.