The Shadow IT Trap
I often see a recurring pattern: the most dedicated employees are often the ones creating the biggest security risks. They aren't trying to cause trouble; they are just trying to do their jobs.
Take "Sarah," a project manager I recently spoke with. She needed to get a crucial proposal to a client before a 5:00 PM deadline. She tried to attach the file, but her email client stopped her: "Attachment exceeds 25 MB." The company’s approved secure transfer tool was tucked behind a VPN she hadn't accessed in months.
Sarah didn't have time for a password reset or a technical hurdle. She uploaded the file to her personal Dropbox, sent the link, and beat the deadline. The client was happy, but Sarah had unknowingly moved sensitive corporate data into an invisible silo, completely outside organisation’s security controls.
This is exactly the kind of Knowledge–Action Gap we explore in our latest research.
Download the whitepaper “Bridging the Knowledge–Action Gap” to understand why security knowledge rarely translates into secure behaviour.
Malice is Rare, Pragmatism is Constant
When we conducted our 2025 survey of 2,000 Nordic employees, the data confirmed what I see in the classroom: 28.3% admit to using unapproved software or AI tools.
As a GRC professional, I see this as a "Shadow IT" problem. It’s a massive blind spot where the IT department loses control of the attack surface. When data lives in unmonitored personal accounts, GDPR compliance becomes impossible to verify. You cannot protect—or audit—what you cannot see. But I see it as a cry for better tools.
Learn how the NorthGRC Awareness Module helps organisations strengthen their security culture.
Explore the module
From Prohibition to Partnership
I recently interviewed behavioural designer Casper Danholt Iuul, who pointed out something vital: we must avoid long lists of prohibitions. A culture of "No" only drives Shadow IT further underground. If our security policies ignore the reality of a busy workday, people won't change their needs; they’ll just change their tools without telling us.
The Path Forward: From Friction to Flow
- Investigate the "Why": If a third of your team is using Shadow IT, your official tools are likely failing them. In my experience, a "friction audit" is more effective than a reprimand. If the secure path is too difficult, people will always choose the fast path.
- Request feedback: I always encourage shifting the conversation from "Don't use this" to "How can we make this secure?". If employees feel they can suggest new tools without a bureaucratic headache, they’ll keep you in the loop.
- Contextualise the Risk: Don't just talk about "company policy." I find that explaining how Shadow IT puts their specific work and reputation at risk makes the lesson stick. When the risk feels personal, the secure choice feels like the easiest choice.
Compliance isn't about building a wall; it’s about building a better road. When the secure path is also the most efficient one, Shadow IT disappears on its own.
Download the whitepaper “Bridging the Knowledge–Action Gap” to learn how organisations can align policy, behaviour, and leadership to build real cyber resilience.
