Nearly three-quarters (73%) of cybersecurity professionals have used unauthorized applications, including AI, in the past year, according to a new survey from Next DLP.
The security vendor surveyed 250 security professionals in the recent Infosecurity Europe and RSA Conference industry events in the UK and US respectively.
Its findings reveal that a majority of industry professionals are not practicing what they preach when it comes to shadow IT.
Most respondents acknowledged that data loss (65%), lack of visibility and control (62%), and data breaches (52%) were the top risks associated with using unauthorized tools. According to the study, one in ten admitted that using shadow SaaS and AI tools had led to a data breach.
The use of AI has been singled out by many IT security teams as a potential security risk. Half of respondents said it was restricted to specific roles in the organization, and nearly a fifth (16%) banned it altogether. A further 46% said they had tools and policies in place to control employees’ use of generative AI.
However, in general, Next DLP found that IT teams are not proactive enough in managing employee use of potentially risky applications. Specifically:
- Only 37% of security professionals said they have developed policies for the use of these tools
- In the last six months, only half of them have received updated guidance and policies on Shadow SaaS and AI
- A fifth said they never received policies/guidelines on shadow SaaS and AI
- One-fifth of respondents were unaware of company policies or training to mitigate shadow IT risks
It’s time to develop a Shadow IT plan
“There is clearly a disparity between employee confidence in using these unauthorized tools and the organization’s ability to defend against the risks,” argued Next DLP’s security leader. Chris Denbigh-White.
“Security teams should assess the extent of SaaS and AI usage, identify commonly used tools, and provide vetted alternatives. This will help mitigate potential risks and ensure trust is earned and not misplaced.”
The challenge of shadow computing has grown to the point that the UK’s National Cyber Security Centre (NCSC) published orientation in 2023 on how to manage it.
About 11% of organizations that experienced cybersecurity incidents between 2021 and 2023 linked their experience to the use of shadow IT, according to Kaspersky.
