Tag

Shadow IT

Shadow IT refers to technology tools, software, and services used within an organization without explicit IT department approval. Articles under this tag examine how shadow IT emerges, its impact on security posture, and strategies for detecting and managing unauthorized technology use across your workforce.

posts

SaaS Security

SaaS Security Best Practices Your Team Needs in 2026

The Average Company Runs 130 SaaS Apps — And Secures Maybe Half In early 2024, a threat actor breached Snowflake customer environments — not by exploiting a zero-day, but by using stolen credentials harvested from infostealer malware. The result? Hundreds of millions of records exposed across companies like Ticketmaster and AT&

Carl B. Johnson Jun 10, 2026 6 min read
BYOD Security Risks

BYOD Security Risks: What Your Policy Is Missing

In 2023, a single employee's personal phone led to one of the most damaging casino breaches in history. Threat actors used social engineering to compromise MGM Resorts, and the attack vector started with a device the company didn't fully control. The resulting disruption cost MGM over

Carl B. Johnson Jun 08, 2026 5 min read
Shadow IT

What Is Shadow IT? The Hidden Risk You Can't Ignore

In 2023, a financial services employee signed up for an unsanctioned file-sharing app using their corporate email. Within weeks, a threat actor exploited a vulnerability in that app and exfiltrated 11,000 customer records. The security team didn't even know the app existed. That's shadow IT

Carl B. Johnson May 30, 2026 5 min read
Shadow IT

What Is Shadow IT? The Hidden Risk Draining Your Security

Your Employees Are Building a Second Network You Can't See A marketing manager signs up for an AI writing tool using her corporate email. A developer spins up an AWS instance on a personal account to test code faster. A sales rep stores client contracts in a personal

Carl B. Johnson May 01, 2026 5 min read
SaaS Security Best Practices

SaaS Security Best Practices: A 2025 Field Guide

In January 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive after threat actors exploited misconfigured SaaS environments across multiple federal agencies. The attackers didn't need sophisticated zero-day exploits. They walked in through overprivileged service accounts, dormant API tokens, and single-factor authentication — problems that every

Carl B. Johnson Apr 22, 2025 7 min read
BYOD Security Risks

BYOD Security Risks: What's Really on Your Network

The Personal Phone That Took Down a Hospital Network In 2023, a nurse at a regional hospital plugged her personal phone into a workstation USB port to charge it. That phone carried malware picked up from a third-party app store. Within 72 hours, ransomware had encrypted patient records across three

Carl B. Johnson Apr 22, 2025 7 min read
Shadow IT

What Is Shadow IT? The Hidden Risk Draining Your Security

The Salesforce Instance Nobody Knew About In 2022, a mid-size healthcare company discovered that one of its marketing teams had been running an entirely separate Salesforce instance — for eleven months. Patient-adjacent data sat in an environment with no encryption at rest, no access controls, and no logging. The IT security

Carl B. Johnson Nov 03, 2023 7 min read
SaaS Security

SaaS Security Best Practices: A Hands-On Guide

The Breach That Started With a Single SaaS Login In January 2023, Mailchimp disclosed its second major breach in less than a year. The cause? A threat actor used social engineering to trick an employee into handing over credentials to an internal tool. That single compromised SaaS login exposed 133

Carl B. Johnson Sep 29, 2023 7 min read
BYOD Security Risks

BYOD Security Risks: What Your Policy Is Missing

In January 2023, T-Mobile disclosed that a threat actor had stolen data on 37 million customer accounts — and the intrusion reportedly exploited an API accessible from systems that included employee-used devices. It wasn't a sophisticated zero-day. It was a gap in how endpoints and access were managed. If

Carl B. Johnson Sep 18, 2023 7 min read
BYOD Security Risks

BYOD Security Risks: What Your Policy Is Missing

A Single Employee's Phone Just Cost This Company Everything In August 2021, T-Mobile confirmed a massive data breach affecting over 50 million people. While the full attack chain was complex, the reality is that personal devices connecting to corporate environments create attack surfaces that most IT teams drastically

Carl B. Johnson Dec 22, 2021 7 min read