Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Conor Swam, CEO of Fin security, and welcome to gone phishing.
Connor Swarm:
Hey, everyone. Welcome back to another episode of Gone. I'm your host, Connor, the CEO at Finn. And today I am joined by not only a great friend of mine, but the founder of SAS, Leo, John Harden who was then acquired by Aubic, and he's now the senior product marketing manager at for SaaS at all. How are you, John?
John Harden:
I am good. Appreciate you having me here, Connor. I'm excited to talk about our topic today. We've got a lot of good things coming up.
Connor Swarm:
So of those of you who don't know about all of a SaaS management, shadow it, shadow SaaS comes to mind.
I think what would be really valuable. John, is what is in your mind, what is shadow it?
John Harden:
Shadow it by, like, definition in general is any it not known by the IT managers or the internal IT team. So I've got this nice colorful mouse. I always use this as a great example. I bought this on my own. My it team has an inventory. They don't know about it. It could be considered shadow it. It is something that I'm using to get my job done that the IT team hasn't sanctioned. But shadow it can also rear its head in way worse forms such as file sharing tools, third party platforms that aren't supposed to being used think like a key jiggler you know, we work in the work from home world where somebody installs an automated key or mouse jiggler to make it look like they're working.
So, yeah, really just anything that it team doesn't know about.
Connor Swarm:
Anything the it team doesn't know about. Does that include not just, you know, you pulled up the mouse. So hardware, does it include software? Does it include what? What does Datto it include? Yes.
John Harden:
So it's any IT asset, really, to get your job done is the way I always kind of classify. There's more like prescriptive term, but I always say it's an its. Get your job done. It can range. So over here at Avic, I mean, we're in the network and SaaS and in the physical. So it could be an employee who puts a little switch under their desk so that they can connect more peripherals. It can be an employee who signs up in the cloud to share data because they need to get around company policy to get something done. Really any it asset, hardware, software, physical, virtual that is created. It could be a compute cluster up in Amazon. It can be whatever really form it is of it. If the IT team is unaware of it, then it becomes shadow eight or it is shadow it.
And my theory on this whole thing here too as well, Connor, is that shadow, it is not inherently good or bad. It's really just unknown. It has no negative or positive outlook. It's just something it team doesn't know about.
Connor Swarm:
I feel like the holy grail of shadow it then would be a a computer that some, an employee buys a computer, signs up for accounts with accounts. And then starts using software on that computer, all to get their job done. Either at home or at their actual company's network.
John Harden:
100% right. Like shadow, it comes in lots of forms. I've seen some egregious examples of it. But in general, what I do find is your story. You just use theirs. Almost always true. Like shadow, it really only comes into companies in a couple of forms. One, it's just an employee getting their job done. That same employee that is breaking every IT policy at the company truly is. Just trying to get their job done. You know, they've got a goal to hit inside the company for the quarter or for the month or whatever it might boil down to and their laptop breaks, so they just go procure something where they use an old piece of home equipment to get their job done.
And they don't have a malicious intent, they're just trying to get their job done. And so that's kind of that first form, whether it's just using your own hardware, it's going up and signing for a SaaS tool because it's easier than following the, it's tools that we've got whenever it might boil down to or get the job done. And then the second form is just educational gaps. It's that same employee that went online to share a file out to their company or their prospect they're working with in sales that just didnt know that there was a sanctioned process internally. It's the same way, there's intent to solve their job, but they just didn't know about the gap. And that's actually where were seeing a lot of shadow it come in there's an overwhelmingly large amount of SaaS tools that can be used or software tools that can be used, and employees are just trying to get their job done and they dont know of all the features or functionality, so they just solve their own problems.
Connor Swarm:
Yeah, sounds like there's two steps to that, then. For most employees, it's not only just knowing that they shouldn't do that, but the second is the it company, if they're aware of it, should enforce. Nope, there was a proper way to do this, and you should have done this a little differently.
John Harden:
Yeah, yeah. We try to look at shadow it. We try not to slap people's risks around. Shadow it because it only creates the department of no. Even more like, we don't want our IT administrators to be the department of no.
We want, wanted, to look at shadow IT. I call it like it's entrepreneurs. People are solving their own business problems by signing up for their own software or using their own hardware.
Whatever it is, it's innovation. It's trying to get their job done. So it should look at that as maybe a bed of opportunity. People aren't using it if a tool because they want to go take the time to sign up and use it.
They're using it because it's better or it's more efficient, makes them get their job done.
Connor Swarm:
That actually feels like a really interesting use case.
Let's put aside the fact that an IT team should be aware of all the cybersecurity related risks that their company is unknowingly retaining. But maybe as a decision maker at an organization, you'd like to know, oh turns out my company and my employees largely use these other tools, even though we haven't bought them for them, because they believe them to be more effective. It makes their job a lot easier.
So maybe we should stop paying for this software and we should start buying this one.
John Harden:
Yeah, that's a, there's a metric out there. About 25% of SaaS is considered waste. That's just, like, pure the license goes underutilized or they're oversubscribed. And that duplicity of applications is really. A key indicator of waste. A lot of SaaS apps, there's so many different ways to, you know, modify. A Google document or collaborate in a project or take your time or communicate. You know, I've turned three Trojan horses - or shadow it recently, and it's really.
File sharing tools, collaboration and communication tools, and productivity tools. Those are your three Trojan horses and it's just because there's so many options and so many people tend to lean into those types of tools to get their job done.
Connor Swarm:
Yeah, I can't tell you how many times I've gotten a word, doc. and instead of trying to do anything with it, I just go straight to honestly if you didn't know about the shortcut. Docs new Docs Dot new will open up a brand new Google Doc right on your screen. It's like, not only is that tool free, like a lot of Google's tools are free for a very, one ends up being a very long period of time and high usage, but it's just so convenient, too.
John Harden:
Now, is Docstat new, is that a Google feature or is that just a website that like, is available that you can transfer to?
Connor Swarm:
That's a Google thing where it just automatically ports to Google Docs and opens up a brand new Google document for you and you can do sheets new, you can do whatever their PowerPoint version is as well. It's just like a hidden feature of Google to open up a brand new document really easily.
John Harden:
Yeah.
The reason I ask that is there's actually one of the really large things we see out in shadow it space is employees doing something similar to that transformation of data. So I have a PDF, I want it to be a Png. So I go online and I google PDF to Png. Everybody's done this, whether it's PDF to PNG, whether it's JPEG, whatever it boils down to everybody's use those online converters.
But this gets to the heart of shadow it. Nobody actually cares about shadow it. What they care about is the data going into the shadow it. Every cybersecurity program is built around the data. So I'm glad that docs new is a sage in Google's tool. But there's a lot of people that will go online, they'll put their tool in an online converter, they'll upload some. Potentially it's maybe just a white paper they're converting to PNG. So no big deal, but maybe they put customer list in an Excel spreadsheet.
To get this thing over. And while they may do their function and they may convert it for you. You better bet those systems are taking. A copy of the data, looking at that, analyzing that data, and that gets to the heart of shadow it is that business data. Nobody really is too upset if you're using a productivity tool, communication tool, file sharing tool, because they're not really worried about the tool, they're worried about the data you're putting into the tool. And those tend to be the ones that have a lot of that sensitive company data in it.
Connor Swarm:
Yeah, you got to be really aware of, a lot of people are talking about this now with Chad GT being used by, and I imagine you all see a ton of employees using chat GBT when it's not sanctioned by the company and who knows where that data is going. Ken, in theory, I was talking with our buddy Wes Spencer about this. It's like, in theory, isn't it possible for somebody across the world to send the right prompt to chats Bt and get your data back out of it? Okay, well, I don't know enough to say yes or no, but the fact that the question can be asked is scary.
John Harden:
What I can tell you, Connor, is we have looked at the data so you didn't even know this so perfect tee up. But we have looked at the data so across our base, and we validated it with other people on the doing the analysis of this information. 8% of the US workforce has tried Chat GPT, which doesn't sound overwhelmingly large until you think about how much of the workforce doesn't normally sit at the computer, how much of the workforce doesn't normally have a desk job. It's actually a pretty seriously large number.
And what was found then? This isn't our study, but another study that corroborated the data. Half of those people put sensitive company data into it. So, like, take Samsung, for example. The Samsung case is a pretty pillar case where Samsung had data exfiltration because employees were putting data into it, not because of their lack of knowledge on how open models work.
And so that was just, it's just one case. But the way I look at it with shadow it, visualize it in my head, is whether it's chat GPT as a productivity tool, whether it's we transfer as a file sharing tool, whether it's slack or discord or WhatsApp as a communication tool, every time you're using those tools, you're almost like leaving a droplet of data all over the cloud.
And think about all of that you leave behind individually when you sign up for these tools little piece of data here, a little piece of data here. You don't know how much data by the way you get when you click that, sign in with Google or sign up with Microsoft, how much data the SAS tool gets about you. So you leave all these breadcrumbs around.
The Internet that can be then attacked by bad actors, so that's you. And then compound it by a company with 1000 employees, or compound it with a company by 5000 employees, and you've got shards of data all over the internet that can be used as entry point vectors. Whether it's a supply chain attack, maybe they went in and their supply chain attacked one of those third party vendors got a little bit of your information and used it to enter in somewhere else, like we saw with MGM and.
The active directory escalation up to Okta or something like that. So that's the fear. It's not the shadow. It,
It's that droplet of data that people are leaving all over the cloud.
Connor Swarm:
You know, a really interesting example of exactly what you just described for anyone listening or for you if you're a Philadelphia 76 ers fan, is Brian Colangelo's burner Twitter account. So the general manager of the Philadelphia 76 ers got caught talking badly about his team on Twitter through a anonymous burner account because the phone number that they used, him and his wife used to sign up for the Twitter account was his phone number, and somebody was able to find that information somewhere, was like, hold on. This is literally Brian Colangelo having a conversation with himself on Twitter.
But it looks like a random account. It's just like, blows my mind. It's like, that's the world we live in now, John.
John Harden:
Yeah. That trail of data, fortunately, that, you know, I mean, that looks bad for the GM, of course, right?
Like, that's bad.
Connor Swarm:
You got fired.
John Harden:
Wow. That's very bad. But it's bad optics. Right? Like, at least in that case, it wasn't used to escalate.
Right?
Like, had they found that data and used it to escalate internally in the organization, that could have been far worse. I mean, this is bad for the GM, and quite frankly, that's not good.
Connor Swarm:
Look.
John Harden:
So for what it's worth, I don't know if I disagree the decisions there.
But in general, at least the company didn't end up having an exfiltration because there's a lot of personal apps. People compromise those personal applications, too, and use that data to escalate their way up. And so you'll be really cautious of these tools you're using online because they are taking a stamp of your data and they're trying to get as much as they can. Trust me. No SaaS vendors saying, let's take less data, let's store a little less data.
We don't want to know that much about our user. That's not happening.
Connor Swarm:
Yeah, I've heard pretty much every vendor except for maybe the identity access and The Pam members, they're like, hey, we need to have more data because then we can make it all streamlined and we can connect things way more effective. What I hear is, sure, but let's not pretend we're trading off security for the sake of convenience here.
But let's just be aware that we're doing.
John Harden:
Yeah, but that's it, right? It's convenience. That's if you get to the root of why people do it. I mean, employees are the path they take the path of least resistance, right?
Like the job is already tough enough, especially it, I think the stat out there, I don't want to say it wrong on the podcast, but it's above 50% of it. Admins have admitted to using shadow IT in their business to get to business
outcomes because there's so much pressure down on them. And that same pressure continues to boil down on every employee in an organization.
And at the end of the day. They just say, hey, we're going to put the IT policy to the side. And we're going to go out, we're going to set up this tool, and we're going to get our job done.
And that pressure is creating this desire to go out and use tools. And they take that path of least resistance down the water. And path of least resistance is ignoring it policy.
So getting control of shadow it is an IT job. It's not an employee's task. I mean, it job to solve. So let's end on your thoughts on this question right here.
Connor Swarm:
Why is shadow SaaS, shadow it, why is it more important now? Why is it incredibly important today?
John Harden:
Yeah, in 20 seconds or less.
Like go back to 2008, the no software logo from Salesforce, right? That was the shepherding in of SaaS. Ever since then, every metric about SaaS has gone up to the right. The amount of users, the amount of apps, the amount of data, the amount of usage on it, 62% of the time that the employees spent in the web browser. If everything's up to the right, that's why the things are becoming more important because that's where all that data is at.
Connor Swarm:
So if I heard that right, it's not only are businesses using way more SaaS software, not to beat a dead horse continually to death, but COVID created a lot more opportunities for people to work from remote locations, some of which include your houses.
When you're not on a company network using company device in front of other people at your company, there's probably a really good chance you'll end up doing things that are more convenient when other
People would have told you to stop doing them.
Yep. And even more so, take those personal.
As, right, everybody now, working from home, there's no fish mole syndrome. You're not worried about what you're doing on your computer sometimes.
So we just, we've seen a lot of looseness since the digital transformation that COVID brought around us, too.
Awesome.
Connor Swarm:
Well, this was a wonderful conversation. I'd love to have you back on to talk more about some of the impacts that this might have on cybersecurity programs itself. And what should cybersecurity and it folks do in response to this? Is it to crack down or is it to say no, use whatever you want and just let us know about it. Like open door policy.
Come on in. So I can't wait to hear your thoughts on that. Well, that's it, the next session. Thanks so much for joining, John. For those of you listening, we'll have. Well, I guess I'll ask John then.
How would you like people to get in touch with you? Or how would you like people to learn a little bit more about all of access management?
John Harden:
Yeah, just reach out on LinkedIn. Give me a holler on LinkedIn. I'm social out there on there and you can ask any question you want. I'm happy to kind of support some information or just go to olvic.com and click SaaS management. There's a ton of info there, too.
Connor Swarm:
Awesome.
For those of you listening and watching, we'll have all those links in the show notes so you can reach out to John, reach out to Aldic, learn a little bit more. John, thanks so much for joining. We'll have you on again real soon. And everybody at home, thanks for listening.
John Harden:
Cheers.
Connor Swarm:
Thanks so much for tuning in to go on fishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out fin security at Phinsec IO. That's p h I n sec IO or click all of the wonderful links in our show notes. Thanks for phishing with me today and we'll see you next time.