Why Employees Bypass Policies: The Psychology Behind Shadow IT
Shadow IT poses major security risks, with 69% of employees bypassing cybersecurity policies. Discover the psychological drivers behind shadow IT adoption, its impact on security, and how organizations can mitigate risks with effective strategies and security awareness programs.
2025-02-03
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
A Gartner survey conducted in May and June 2022 among 1,310 employees revealed that 69% of employees have bypassed their organization’s cybersecurity guidance in the past 12 months. In the survey, 74% of employees said they would be willing to bypass cybersecurity guidance if it helped them or their team achieve a business objective.
Shadow IT, the use of unauthorized tools and services by employees without the knowledge or approval of the IT department, has become a significant concern for organizations.
To mitigate the risks posed by shadow IT, organizations must first recognize its impact on security and compliance. Learn more about shadow IT and its implications for organizations.
Employees continue to bypass company policies despite understanding the risks associated with shadow IT—including data breaches, ransomware attacks, and compliance violations. To effectively address this challenge, organizations must understand the psychological and organizational factors that drive such behavior.
Why Employees Use Shadow IT Despite Knowing the Risks
Employees continue to rely on shadow IT not because they are unaware of company policies but because practical needs and psychological tendencies drive their decisions. When official tools feel slow, complex, or restrictive, employees look for easier, faster alternatives—even if they aren't approved. This section explores the key reasons shadow IT remains a persistent workplace challenge.
1. Convenience and Productivity Pressure
Employees often resort to shadow IT to meet tight deadlines or improve efficiency. Authorized tools may lack the usability or functionality employees need, leading them to seek alternatives.
Example: A marketing team uses Canva because the organization’s approved design tool is complicated and time-consuming.
2. Lack of Awareness or Understanding
While employees may know shadow IT is against the policy, they might not fully grasp the risks involved. Some underestimate the potential consequences of their actions.
Example: An employee might think, “This tool works perfectly for my tasks—what’s the harm?”
3. Perceived Inadequacy of Official Tools
If employees perceive the organization’s tools as outdated or ineffective, they are more likely to seek unauthorized solutions that better meet their needs.
Example: A developer uses an unapproved code repository because the official system is slow or lacks integration features.
4. Optimism Bias
Employees may believe they are unlikely to face negative consequences for using shadow IT, assuming their actions won’t lead to a breach.
Example: “I’ve used this tool for months without any issues—it’s safe.”
5. Peer Influence and Social Norms
When employees observe colleagues using unauthorized tools without consequences, they may do the same, believing it’s an acceptable practice.
Example: “Everyone on my team uses this app—it must be fine.”
6. Resistance to Bureaucracy
Complex approval processes for new tools can frustrate employees, pushing them to bypass IT entirely.
Example: A team adopts an unapproved project management tool because obtaining approval for a new platform takes weeks.
7. Cognitive Dissonance
Employees may rationalize using shadow IT to resolve the conflict between knowing the risks and continuing the behavior.
Example: “I know it’s against policy, but this tool helps me meet my deadlines.”
The Impact of Shadow IT
The consequences of shadow IT are significant:
- Data Breaches: According to Gartner, Shadow IT is 30% - 40% of IT spending in large enterprises (Source: Quandarycg)
- Cost of Shadow IT: One in three data breaches now involves shadow data, emphasizing how the unchecked use of shadow IT makes it increasingly difficult to monitor and protect sensitive information. On average, data breaches cost businesses USD 4.88 million globally in 2024 (source: IBM Data Breach Report 2024).
- Compliance Violations: Shadow IT can lead to violations of regulations like GDPR or HIPAA, resulting in significant fines and reputational damage.
- Employee Adoption: 80% of company employees use shadow IT for convenience and productivity, believing they can work more efficiently with their personal devices and preferred software rather than the company’s approved IT resources. This widespread use highlights the growing challenge of balancing flexibility with security (Source: Forbes).
How Keepnet Helps to Manage Shadow IT Risks by Embedding Secure Behaviors
Keepnet offers tailored solutions to address shadow IT risks by embedding secure behaviors into organizational workflows and leveraging advanced technologies to minimize vulnerabilities. Here's how Keepnet supports organizations in managing shadow IT risks effectively:
1. Unified Human Risk Management Platform
Keepnet's integrated platform provides a centralized approach to addressing shadow IT by targeting human risk factors and offering:
- Tailored training modules focused on shadow IT risks.
- Comprehensive awareness programs to encourage secure practices.
- Tools to identify and mitigate risky behaviors across teams.
Learn more about how Keepnet’s Unified Human Risk Management Platform can enhance security and compliance.
2. Adaptive Security Awareness Training
Keepnet’s security awareness training programs are designed to educate employees on the risks of shadow IT, emphasizing compliance with organizational policies. These training programs adapt to specific employee behaviors and are reinforced through:
- Contextual learning to highlight the impact of shadow IT.
- Real-world examples and case studies.
To build a more security-conscious workforce and proactively mitigate risks, check out Keepnet's Security Awareness Training.
3. Phishing and Risk Simulations
Simulations replicate real-world scenarios to teach employees how to recognize and mitigate risks associated with shadow IT. Employees gain immediate feedback to reinforce secure practices, such as:
- Identifying unauthorized tools and applications.
- Understanding the link between shadow IT and phishing attacks.
To strengthen your organization’s defense against phishing threats and unauthorized technology use, explore Keepnet's Phishing Simulations, which provide hands-on learning experiences and real-time risk assessment.
4. Behavioral Analytics and Reporting
Keepnet provides advanced behavioral analytics to monitor and report employee behaviors related to shadow IT. The platform offers actionable insights, allowing organizations to:
- Identify high-risk users and teams.
- Develop targeted interventions to address recurring issues.
To measure the impact of security training and ensure continuous improvement, organizations should track key performance indicators. Discover Keepnet's guide on key metrics for evaluating security awareness efforts to enhance your cybersecurity strategy.
5. Incident Response Automation
Keepnet automates the response to shadow IT incidents, reducing the impact of unauthorized tools and services. The platform enables organizations to:
Block unauthorized applications in real-time.
Implement automated workflows to secure exposed systems.
Explore Keepnet Incident Responder for fast, automated threat mitigation.
6. Continuous Engagement with Gamification
Keepnet uses gamification to maintain employee engagement with security programs, fostering a culture of compliance and awareness. Features include:
- Interactive challenges and leaderboards.
- Rewards for employees who report unauthorized tool usage or adhere to security protocols.
Organizations can enhance participation and reinforce positive cybersecurity behaviors by integrating gamification into security awareness training. Discover how gamification strengthens security awareness training and keeps employees engaged in learning.
Addressing Shadow IT with Keepnet
Keepnet empowers organizations to address shadow IT risks by combining education, monitoring, and automation. By embedding secure behaviors and providing actionable insights, Keepnet ensures employees actively participate in maintaining organizational security.
Through tailored training, real-time monitoring, and continuous engagement, Keepnet helps organizations:
- Minimize risks associated with unauthorized tools.
- Foster a security-first culture.
- Enhance compliance and reduce operational vulnerabilities.
Conclusion
Shadow IT remains a critical challenge for organizations, driven by convenience, lack of awareness, and gaps in approved tools. Keepnet Human Risk Management Platform offers a comprehensive solution by embedding secure behaviors and equipping organizations with the tools to manage these risks effectively. With Keepnet, organizations can mitigate shadow IT risks and build a more secure, resilient workplace.
However, technology alone isn’t enough—fostering a strong security culture is key to long-term success. By integrating a Security Behavior and Culture Program (SBCP), organizations can drive sustainable behavioral change and reduce security risks at their core. Learn more about how an SBCP helps organizations build a proactive security mindset.
Editor's Note: This article was updated on February 14, 2025.
SHARE ON