The Shadow IT Paradox

Why Even Security Pros Are Using Unsanctioned Apps and AI

In a surprising revelation, a recent study by Next DLP has uncovered that a staggering 73% of cybersecurity professionals have used unsanctioned apps, including AI tools, in the past year. This finding, also based on interviews with 250 security pros at major industry events, highlights a significant disconnect between security best practices and actual behavior.

𝗞͟𝗲͟𝘆͟ ͟𝗙͟𝗶͟𝗻͟𝗱͟𝗶͟𝗻͟𝗴͟𝘀͟:͟

* 73% of security professionals used unauthorized apps in the past year

* 65% acknowledge data loss as a top risk of shadow IT

* 10% admit that shadow IT led to a data breach

* Only 37% have developed policies for using these tools

* 20% were unaware of corporate policies or training to mitigate shadow IT risk

𝙏𝙝𝙚 𝙋𝙖𝙧𝙖𝙙𝙤𝙭: It's ironic that those tasked with protecting organizational data are themselves contributing to potential security risks. This raises an important question:

𝙒𝙝𝙮 𝙙𝙤 𝙚𝙢𝙥𝙡𝙤𝙮𝙚𝙚𝙨, 𝙚𝙫𝙚𝙣 𝙨𝙚𝙘𝙪𝙧𝙞𝙩𝙮-𝙘𝙤𝙣𝙨𝙘𝙞𝙤𝙪𝙨 𝙤𝙣𝙚𝙨, 𝙩𝙪𝙧𝙣 𝙩𝙤 𝙨𝙝𝙖𝙙𝙤𝙬 𝙄𝙏 𝙖𝙣𝙙 𝘼𝙄 𝙨𝙤𝙡𝙪𝙩𝙞𝙤𝙣𝙨?

Common Reasons for Shadow IT Usage:

• Productivity Needs: Employees often seek tools that help them work more efficiently. When official channels don't provide the necessary solutions, they may turn to unauthorized alternatives.
• Ease of Access: Cloud-based SaaS applications are easily accessible and often free to use, making them tempting for quick problem-solving.
• Familiarity: Employees might prefer tools they've used before or find more user-friendly than company-approved options.
• Innovation Drive: In rapidly evolving fields like AI, professionals may experiment with cutting-edge tools to stay ahead, even if not yet sanctioned by their organization.
• Bureaucratic Hurdles: Long approval processes for new tools can drive employees to find immediate solutions outside official channels.
• Lack of Awareness: Insufficient communication about available tools or unclear policies can lead to unintentional use of shadow IT.
• Personal Preference: Some employees simply prefer certain tools and may use them out of habit or comfort.

The 𝗳𝗶𝗿𝘀𝘁 𝘀𝘁𝗲𝗽 is to raise awareness of the issue. 𝗘𝗱𝘂𝗰𝗮𝘁𝗲 𝘆𝗼𝘂𝗿 𝗲𝗺𝗽𝗹𝗼𝘆𝗲𝗲𝘀 about the risks of shadow IT and the importance of using sanctioned tools. You should also provide them with the training they need to use these tools effectively.

In addition to education, you should also take steps to 𝗺𝗮𝗸𝗲 𝘆𝗼𝘂𝗿 𝘀𝗮𝗻𝗰𝘁𝗶𝗼𝗻𝗲𝗱 𝘁𝗼𝗼𝗹𝘀 𝗺𝗼𝗿𝗲 𝘂𝘀𝗲𝗿-𝗳𝗿𝗶𝗲𝗻𝗱𝗹𝘆. If your employees find that the sanctioned tools are easy to use and meet their needs, they will be less likely to resort to shadow IT.

Finally, you should 𝗰𝗿𝗲𝗮𝘁𝗲 𝗮 𝗰𝘂𝗹𝘁𝘂𝗿𝗲 𝗼𝗳 𝗼𝗽𝗲𝗻 𝗰𝗼𝗺𝗺𝘂𝗻𝗶𝗰𝗮𝘁𝗶𝗼𝗻 where employees feel comfortable coming to you with their concerns about sanctioned tools. If employees know that they can raise issues without fear of reprisal, they will be more likely to do so.

By 𝘂𝗻𝗱𝗲𝗿𝘀𝘁𝗮𝗻𝗱𝗶𝗻𝗴 𝘁𝗵𝗲 𝗺𝗼𝘁𝗶𝘃𝗮𝘁𝗶𝗼𝗻𝘀 𝗯𝗲𝗵𝗶𝗻𝗱 𝘀𝗵𝗮𝗱𝗼𝘄 𝗜𝗧 𝘂𝘀𝗲, companies can develop more effective strategies to manage this risk while still meeting the needs of their workforce.

What's your experience with shadow IT in your organization? How do you balance security needs with employee tool preferences?