"We just use the tools we like, IT doesn’t need to know."
COMPANY
Sector: Consulting
Size: 60 employees
Location: Wallonia
FACTS & FIGURES
15 out of 60 users were affected
Protection efforts: None
Business Impact: Data leakage and compliance issues
STORY
At a mid-sized consulting firm in Wallonia, employees had grown frustrated with what they saw as slow, outdated IT tools. To be more productive, teams began using free cloud platforms for file sharing, messaging, and even handling client contracts. These tools worked well, until an external partner flagged that sensitive project data was accessible on a public link. IT had no visibility, no control, and no way to remediate the exposure quickly.
INCIDENT OVERVIEW
Shadow IT describes the use of IT systems, devices, software, applications, and services without explicit IT department approval. While often adopted for efficiency, it creates unmanaged risks. In this case, employees used unapproved file-sharing services. When access permissions were misconfigured, sensitive documents became publicly accessible. Without monitoring or centralized management, these risks accumulated without the knowledge of IT or management.
BUSINESS IMPACT
Exposure of confidential client data
Non-compliance with GDPR and contractual obligations
Reputational damage and loss of client trust
Increased operational costs due to incident response and audits
SECURITY MEASURES
Here below, you can explore some advices to mitigate risks and enforce secure configurations:
Educate staff on risks linked to unapproved applications
Implement a formal policy for software approval and procurement
Use CASB (Cloud Access Security Broker) or M365/Defender monitoring to detect shadow IT
Restrict the use of external storage platforms via firewall and endpoint security policies
Provide modern, secure, and user-friendly alternatives through IT-approved platforms
RESOURCES
ENISA – Shadow IT Risks and Mitigation
Microsoft – Managing Shadow IT with Defender for Cloud Apps
CCB – Cloud Security Guidance