Per a new study from Infoblox Inc., there appears to be a significant threat posed by shadow devices on enterprise networks.

The report, titled "What Is Lurking On Your Network: Exposing the Threat of Shadow Devices," showed that enterprise networks across the U.S., U.K. and Germany have thousands of shadow personal devices, including laptops, Kindles, mobile phones and "internet of things" devices, such as digital assistants and smart kitchen appliances, all connecting to their network.

According to the report, more than one-third of companies in the U.S., U.K. and Germany (35 percent) said that there are in excess of 5,000 personal devices connecting to their network each day.

Likewise, a third of companies in the U.S., U.K. and Germany have more than 1,000 shadow internet of things devices connected to their network on a typical day, with 12 percent of U.K. organizations reporting having more than 10,000.

The most common devices found on enterprise networks included, fitness trackers; digital assistants, like Amazon Alexa and Google Home; smart televisions; smart kitchen devices; and game consoles.

Per the report, the devices are “easily discoverable by cybercriminals online via search engines for internet-connected devices,” providing low-level criminals with ample means of identifying a vast number of devices on enterprise networks that can then be targeted for vulnerabilities.

Infoblox found as of March that there were 5,966 identifiable cameras deployed in the U.K.; 2,346 identifiable smart TVs deployed in Germany; and 1,571 identifiable Google Home devices deployed in the U.S. In other words, plenty of open doors.

Employees the U.S. and U.K. said they connected devices to their employer’s networks for all of the obvious reasons, including access to social media and downloading apps, games and even films. All of these simple, but not-appropriate-for-work practices "open organizations up to social engineering hacks, phishing and malware injection."

To mitigate these threats against, organizations may introduce a security policy for connected devices, but some organizational leaders "appear misguided in their estimation for how effective these policies," while 88 percent of IT leaders who had the opportunity to share their voice through the research said their security policy is either effective or very effective. About one-quarter of employees from the U.S. and U.K. said they didn’t know if their organization had a security policy in place at all.

Finally, just one-fifth of respondents in the Western world said they followed their security protocols by the book.

All of this means there’s the possibility of a real threat by those jumping onto their employee’s technology stream while bypassing their organization’s traditional security policies. The devices used to do so “present a weak entry point for cybercriminals into the network, and a serious security risk to the company,” the report said.

If this news is any indication, organizations the around the world are in trouble.

"Networks need to be a frontline of defense; second only to having good end user education and appropriate security policies," the report said. "Gaining full visibility into all connected devices, whether on premise or while roaming, as well as using intelligent DNS solutions to detect anomalous and potentially malicious communications to and from the network, can help security teams detect and stop cybercriminals in their tracks."

The report featured the responses of 1,000 IT directors in the U.S., the U.K., Germany and even the United Arab Emirates; 300 each in the U.K., U.S. and Germany and 100 in the UAE, with the study conducted from March through April 2018. An additional survey of 1,000 employees in the U.S. and U.K. was conducted in March to generate the results.

Is any of this any surprise? No. Security remains a major issue for most organizations, no matter the sector.

Let’s take a look at another example. While many organizations have made investments into data security tools, employees remain a major barrier to achieving full privacy.

Of more than 600 American employees from more than 20 industries, including healthcare, finance and information technology basically said the following:

  • 98 percent said their company cared about data security, and 93 percent said the organization invests in keeping data safe.
  • 95 percent said their company provides secure information tools.
  • 85 percent said that their organization has policies about sharing, delivering and stealing data, documents and information.
  • 88 percent said their organization trains employees on how to use secure methods of information sharing and delivery.

However, 78 percent said they agree with their organization’s security policies, but 74 percent of the same said they sharing information both internally with their colleagues and 60 percent shared with people outside of their organization.

Additionally, those who said they shared data said they did so through an insecure internal email, 62 percent sent data that included customer data, 46 percent on strategy documents or presentations, 45 percent on company business or financial data and 43 percent on regulated data.

None of this is good news for organizations.