What’s the Biggest Vulnerability of Marketers’ Shadow IT Tools?

No, and marketers are filling the gap. In our 2017 CMO cybersecurity survey, 75% of marketing and IT respondents stated that shadow IT is prevalent in their organizations. Marketing is a data science and budgets increasingly focus on acquiring tools and technology, but marketing is typically under-resourced from an IT perspective.

They go around IT protocols to procure shadow IT resources for quick fixes. Through a patchwork of vendors, marketers integrate shadow IT tools into brand infrastructures. Ranging from a dozen on the low end to hundreds on the high end, APIs stitch this patchwork together and enable systems to talk to each other.

Marketers place third-party vendors or shadow IT people on web teams to build out connections. The tools range from social listening functions down to integrations with a CMS, and they are built on cloud-based applications with APIs to connect them.

Individual cloud applications with APIs in the middle are not secure because they operate outside of what IT traditionally monitors. In a different survey we did, about 75% of IT security teams said they do not monitor cloud applications and shadow IT applications in security checks.

Individual applications aren’t vulnerable—it's the cracks in between them that cause problems. Think of WordPress: The top 10,000 websites in the US use WordPress as their core contact management system. The open-source product requires constant updates and patches. If marketers regularly keep up that's good, but it’s difficult to chase down the latest patches in complex marketing tech infrastructures.

The Democratic National Committee hack came through an application built to coordinate fundraising, similar to outward-facing consumer applications that marketers work with. The Equifax breach came from a cookie tool that drove traffic to the site. These martech tools are becoming a major vulnerability. Bad guys aren't going after protected apps—they’re going after what isn’t protected or monitored by IT.