As organizations expand and adopt new technologies, so does the pervasiveness of shadow IT– the unseen and unmanaged tools and services operating outside a security team’s control. This challenge is widely acknowledged by IT and security professionals. What receives far less attention are shadow entities, the subsidiaries and business units companies don’t know they own.
These unknown entities often bring with them an extensive, uncharted ecosystem of applications, services, and digital infrastructure. The result is an ever growing challenge for even the most security-focused enterprises to maintain visibility over exposed assets.
A recent study involving over 2,000 cybersecurity leaders determined 74% have experienced security incidents resulting from assets that were unknown or unmanaged. And yet only 43% of the respondents to that same survey were using dedicated tools to proactively manage risk across their attack surface, with over 55% having no processes in place to do so continuously.
The first step in protecting these assets is gaining a clear picture of a company’s organizational structure– in other words, mapping out all of the shadow entities that exist within the corporate structure.
The Corporate Hierarchy Puzzle: Prior Acquisitions
Mergers can often bring multiple strategic advantages for many organizations from accelerated growth and cost efficiencies, to a stronger competitive edge. When large enterprises pursue acquisitions, the acquired companies are often also sizable organizations themselves, which can amplify these potential benefits. However, beneath the surface lies a critical challenge: fully understanding the true scope and structure of the acquired business.
On paper, an acquisition may look straightforward but in many cases the acquired business itself has made other acquisitions in the past, resulting in a complex corporate hierarchy with multiple subsidiaries, business units, and operating companies. Suddenly, the “one” acquisition is actually an ecosystem of five, ten, or even twenty distinct entities, each with its own infrastructure, security posture, and risk profile.
During mergers and acquisitions, businesses may be provided with a high-level view of the acquired company’s structure, but the accuracy and completeness of that picture can also be uncertain. While enterprises may believe they understand what they own, many subsidiaries go unnoticed over time and ultimately become these shadow entities. As a result, the organizational dynamics that occur during mergers and acquisitions can create the perfect conditions for shadow IT proliferation.
Mergers & Acquisitions: Inheriting Unknown Risk & Limited Communication Flows
Mergers and acquisitions don’t just combine businesses; they also combine risks by bringing along all of the unknown assets and entities. This challenge is heightened by the fact that security teams are rarely given complete visibility or documentation of the acquired organization’s digital infrastructure. While certain teams like Governance, Risk, and Compliance might participate in due diligence processes, others learn about acquisitions only after deals close, if they’re informed at all. Even in scenarios when a security team is informed, they may not receive the asset inventory necessary for understanding the digital footprint of the company being acquired.
In some cases, a company may keep key personnel during acquisitions; however, an incomplete transfer of knowledge can still introduce security gaps or system vulnerabilities. These risks are often heightened if documentation is outdated, roles and responsibilities are unclear, or teams are expected to manage unfamiliar systems under tight timelines.
As a result, visibility into the full asset landscape can be difficult during periods of transition. The security team may be inheriting risks– old marketing websites, legacy servers, and other outdated infrastructure that was supposed to be decommissioned but never was– without being informed of the vulnerable assets that they’re now responsible for protecting.
Security Vulnerabilities Often Caused By Lack Of Awareness
Protection begins with awareness over what is owned. As the number of undiscovered assets grows, so too does the attack surface, amplifying any already existing gaps and blind spots in an organization’s security posture. Any entity that remains undiscovered also remains unmanaged which can introduce significant downstream security risks. When an organization is missing awareness into the entities it owns, it also loses visibility into the digital footprint of those entities. Without this visibility, exposures go undetected and the likelihood of a breach or security threat increases.
The Change Healthcare breach that occurred in 2024 is a prime example of what can occur when a system is caught in organizational limbo between two companies’ security frameworks.
UnitedHealth had acquired Change Healthcare in 2022, subsequently inheriting its legal and digital infrastructure. The integration process for an acquisition of this size can often take years to unfold, and in this instance a legacy web portal from Change Healthcare remained operational while still running under the acquired company’s older security standards.
The portal lacked multi-factor authentication (MFA), a basic control mandated by UnitedHealth’s corporate security policies but not yet implemented across all newly acquired systems, creating a gap that attackers were able to exploit. CEO Andrew Witty acknowledged this vulnerability in testimony to Congress, stating, “Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition. But for some reason, which we continue to investigate, this particular server did not have MFA on it.”
How SixMap Bridges the Gaps and Finds the Unknowns
While there are various automated tools and data sources that can assist in identifying an organization’s corporate structure, achieving the level of accuracy needed to reduce or eliminate the risk of shadow entities requires continuous, comprehensive discovery and a holistic approach that leaves no gaps.
SixMap utilizes a unique and thorough research process when mapping a company’s organizational structure that helps to close these gaps in knowledge and awareness. By combining advanced automation with tailored mapping techniques developed through years of experience, plus human review from a team of experts, we build a comprehensive and highly accurate view of any organization’s structure and digital assets. SixMap’s unique enumeration generation process on average we uncover almost 20% more IPv4 addresses plus an additional 3% more domains, v6 IPs, prefixes, and ASNs. In total, SixMap finds approximately 25% more digital assets on average for a large organization.
SixMap’s discovery process also produces significant visibility into corporate structure. Recently, SixMap mapped, researched, and assessed a large conglomerate in the life sciences and biotechnology industry. While the company publicly listed exactly 18 operating companies, SixMap’s methodology revealed over 900 distinct entities– an increase of more than 5000%. By providing a larger and more accurate view into the company’s structure, SixMap gives security teams an understanding of their own organization, what digital assets it owns, which teams are responsible for them, and what risks are exposed to the internet.
Get in touch with the SixMap team to learn more about your organization’s structure and entities.
