The security risks of sharing files and documents over unsanctioned cloud services are well known, but a new survey has found many employees are still using unauthorised services at their workplace – and Australians are among the worst offenders.

Education providers were most likely to use unauthorised cloud services at work, security firm KnowBe4 found in the new report, which surveyed 435,395 online respondents and found 42.8 per cent of education users were using such services.

Such services – typically, cloud services like Dropbox, Box, OneDrive and the like, to which users often sign up for free trials or using their own credit cards – are in widespread use even though they aren’t supported by the company’s IT department.

Construction (35.5 per cent) and government (33.4 per cent) organisations were nearly as likely to use unofficial services, while employees of banking organisations were the least likely – with just 17.7 per cent admitting to doing so, similar to the 20.5 per cent of financial services workers doing the same.

Australians were serial offenders, with 32 per cent of users in Oceania saying using unauthorised cloud services was common practice in their company – making us only slightly better than Asia (32.6 per cent) but worse than North America (27.0 per cent) and Europe (24.8 per cent).

Piracy galore

Interestingly, the survey also measured use of unauthorised file-sharing networks to download copyrighted content – and found a strong correlation between the industries where content piracy was commonplace, and use of shadow IT services.

Similar to the use of shadow IT, content piracy was lowest in the banking (18.5 per cent), insurance (23.1 per cent) and financial services (23.4 per cent) industries and highest in construction (41.0 per cent), education (38.5 per cent), and manufacturing (35.0 per cent).

The correlation between use of unauthorised document-sharing services and illegal downloading – which was particularly prevalent in Asia, where 54.6 per cent of respondents admitted pirating content – suggests that employees used to pirating content are blasé about the security implications of using unsanctioned file-sharing services in the workplace.

“The findings from this research are very concerning because employees are exhibiting insecure behaviours that are putting their organisations at significant risk,” said Kai Roer, chief research officer, KnowBe4, as the new figures were released.

“The concept of shadow IT has a direct impact on the level of security culture exhibited at an organisation,” Roer said. “To combat shadow IT, organisations should focus on strengthening their security culture and increasing employees’ level of security awareness.”

Casting light in the shadows

The security risks of sharing confidential documents using ‘shadow IT’ services – usually software-as-a-service (SaaS) cloud services to which employees often sign up out of convenience or desperation to meet a deadline – are well known.

While the average company estimates that it has around 200 to 300 applications in use, one survey found, employees are actually using an average of 651 different SaaS applications.

Because they are used by employees without any control by or accountability to the company IT organisation, such services pose a significant security risk – and management challenge – because documents can easily escape company security perimeters.

One Forbes analysis found that 21 per cent of organisations had suffered a cyber security incident due to a non-sanctioned IT resource, while 60 per cent of companies don’t even include shadow IT when evaluating their exposure to cyber security threats.

Consistency between use of shadow IT services and file-sharing services within each industry suggests that “certain norms, behaviours or attitudes may be contributing to the normalisation and active use of other unsafe practices,” the KnowBe4 report notes, suggesting that companies hoping to reduce their exposure to shadow IT must also educate employees about the risks of illegal file-sharing services.

“It is especially important,” Roer said, “for employees to understand and take responsibility for how their insecure behaviours can ultimately affect the organisation’s reputation and bottom line.”