According to one study, 78 of the 187 average applications used by companies in their customer network are used outside the IT department’s security instructions and protocols. Photo: Shutterstock

According to one study, 78 of the 187 average applications used by companies in their customer network are used outside the IT department’s security instructions and protocols. Photo: Shutterstock

Russian and Chinese hackers may be writing their legend with spectacular cyberattacks. But according to Security Navigator 2025, published this week by Orange Cyberdefence, the domestic threat remains at least as great. “Shadow IT,” which is when employees violate security protocols, risks putting companies at risk.

The covid-19 pandemic has brought to light a series of behaviours that arose at the same time as the advent of IT: more and more employees are installing software on their work computers that they should not be installing. The most common examples are services such as Dropbox, Google Drive, Whatsapp, Slack, Trello or Asana.

According to Productiv.com’s 2024 findings, . That’s roughly 78 of the 187 applications used on average by businesses across their client network.

- 65% of employees open emails from unknown sources on their work devices.

- 61% send sensitive information via unencrypted email.

- And above all, 93% recognised that these actions would increase the risks to the company, said the benchmark report published by Gartner.

In other words, employees know perfectly well that they are doing what they shouldn’t. “The number of incidents related to policy violations has increased, and the number of incidents related to unapproved hardware or software highlights the significant problem of shadow IT’s presence in corporate networks. We saw this trend from 2020 during the covid-related containments and it seems to have continued,” say Orange’s cyberdefence experts in the new version of their Security Navigator (2025). “In discussions with our customers, IT security managers seem to agree with this observation, citing their concerns about shadow IT and describing their main risk as internal. The IT security department was often identified as the department of ‘no,’ processes and strict governance. Users operating under the radar, as these statistics show, demonstrate a persistent lack of awareness of cybercrime.”

Internal and external threats equal

According to the report, the internal threat (47.35%) is almost equal to the external threat (47.61%), with another point raised by the experts: misuse. Whilst giving themselves access to new solutions, users are not taking the time to understand how to protect themselves, putting their company data or even their IT systems at risk.

- over security.

- from the IT department.

- .

A study carried out in 2024 by Gartner revealed that shadow IT accounts for 30 to 40% of IT spending in large companies, representing millions of dollars in unnecessary expenditure for many businesses. The cost of shadow IT-related cyber attacks averages $4.2m per incident. $34bn in wasted licences are generated each year between the US and the UK as a result of unused shadow IT software.

And artificial intelligence doesn’t necessarily help: according to a study that is beginning to date and is not included in the Orange report, 70% of employees of large groups, often very digital, use ChatGPT without IT even being aware of it.

Aida: attention, interest, desire, action

A year earlier, Orange had already warned of a third phenomenon: as companies become more digital, IT is moving away from the expert unit within the company towards the traditional business units, which want to have software to do this or to do that, without the company necessarily having a global and instantaneous picture of everything that goes on within it.

Against a global backdrop of a shortage of cybersecurity talent, Gartner, on which the telecoms operator relies, argues that cyber judgement--the ability of employees to make informed decisions about cyber risk on their own--is a more effective solution, enabling companies to work with a minimum of effective expertise. Companies that have implemented this concept have seen their exposure to risk decrease by two times and their speed of deployment of new technologies increase by 2.2 times.

Why are Orange’s figures more interesting than the figures themselves? Because a whole range of players are proposing solutions to reduce the shadow IT footprint in companies, providing a kind of gateway to solutions outside the company.

. This is a scheme in which the ‘D’ is very important, because it evokes a ‘co-creation’ of the company’s IT security, based on the feelings of end-users and in conjunction with IT experts. Without the end user, no rule will ever be followed well enough in this area.

This article was originally published in .

Related articles