For years, IT departments have been railing about the dangers of shadow IT and bring-your-own-device. The worry is that these unauthorized practices bring risks to corporate systems, introducing new vulnerabilities and increasing the attack surface.\nThat may be true, but it\u2019s not the whole story. As I\u2019ve long argued, shadow IT may increase risks, but it can also cut costs, boost productivity and speed innovation. That\u2019s why users are often so eager to circumvent what they see as slow and conservative IT departments by adopting increasingly powerful and affordable consumer and cloud-based alternatives, with or without the blessing of the powers that be. Just as important, there\u2019s plenty of evidence of that enlightened IT departments should work to leverage those new approaches to serve their internal customers in a more agile manner.\n\nShadow IoT takes shadow IT to the next level\nSo far so good. But this reasoning emphatically does not carry over to the emerging practice of shadow IoT, which has become a growing concern in the last year or so. Basically, we are talking about when people in your organization add internet-connected devices (or worse, entire IoT networks!) without IT\u2019s knowledge.\nThose renegades are likely seeking the same speed and flexibility that drove shadow IT, but they are taking a far bigger risk for a much smaller reward. Shadow IoT takes shadow IT to another level, with the potential for many more devices as well as new types of devices and use cases, not to mention the addition of wholly new networks and technologies.\nWhy shadow IoT is worse than shadow IT\nAccording to a 2018 report from 802 Secure, \u201cIoT introduces new operating systems, protocols and wireless frequencies. Companies that rely on legacy security technologies are blind to this rampant IoT threat. Organizations need to broaden their view into these invisible devices and networks to identify rogue IoT devices on the network, visibility into shadow-IoT networks, and detection of nearby threats such as drones and spy cameras.\u201d\nThe report noted that all of the organizations surveyed had rogue consumer IoT wireless devices on their enterprise networks, and nine out of 10 had shadow IoT\/IIoT wireless networks, defined as \u201cundetected company-deployed wireless networks separate from the enterprise infrastructure.\u201d\nSimilarly, a 2018 Infoblox report found that a third of companies have more than 1,000 shadow-IoT devices connected to their networks on a typical day, including fitness trackers, digital assistants, smart TVs, smart appliances and gaming consoles. (And yes, Infoblox is talking about enterprise networks.)\nIt gets worse. Many of these consumer IoT devices don\u2019t even try to be secure. And, per Microsoft, criminal and state-sponsored actors are already weaponizing these devices and networks (both shadow and IT-approved), as shown by the Mirai botnet and many others.\nOne more thing: Unlike cloud and consumer shadow IT, shadow IoT implementations often don\u2019t provide additional levels of speed, agility or usability, meaning that organizations are not getting much benefit in exchange for the heightened risks. But that doesn\u2019t seem to be stopping people from using them on corporate networks.\nSecurity basics\nFortunately, protecting your organization from shadow IoT isn\u2019t so different from security best practices for other threats, including shadow IT.\nEducation: Make sure your team is aware of the threat and try to get their buy-in on key IOT policies and security measures. According to that 802 Secure report, \u201c88 percent of IT leaders in the US and UK believed they had an effective policy in place for mitigating security risks from connected devices. But a full 24 percent of employees represented in the survey said they did not even know such policies existed, while a bare 20 percent of the people who professed knowledge of these policies actually abided by them.\u201d Sure, you\u2019ll never get 100 percent participation, but people can\u2019t follow a policy they don\u2019t know exists.\nAssimilation: Create policies to let team members easily connect their IoT devices and networks to the enterprise network with the IT department\u2019s approval and support. It\u2019s extra work, and some folks will inevitably go rogue anyway, but the more devices you know about, the better.\nIsolation: Set up separate networks so you can support approved and shadow IoT devices while protecting your core corporate networks as much as possible.\nMonitoring: Make regular checks of connected devices and networks, and proactively search for unknown devices on all your networks.