The Company’s Approved File-Sharing Tool Is Slow, Clunky, and Barely Anyone Uses It. An Employee Uses Personal Dropbox Instead — Only for Non-Sensitive Files, Only When Working Fast. “Everyone Does This.” Does That Make It Acceptable?

Quick Answer

Is using a personal cloud storage tool for work files acceptable when the files are “non-sensitive” and the employee is careful about which ones they share?

No, for two reasons that the employee’s self-assessment cannot address. First, “non-sensitive” is not a determination that the employee is qualified to make alone. Data classification is an organizational function: files that appear routine may contain metadata, client identifiers, or embedded references that make them sensitive in ways the employee doesn’t recognize. Second, the risk of Shadow IT isn’t only in individual files — it’s in the organizational visibility gap it creates. Files on an unapproved personal tool cannot be monitored, backed up, protected against the employee’s departure, or included in litigation holds. The convenience is real. The risk is structural.

The Situation

A project manager at a professional services company has been using a personal Dropbox account to share project files with external clients for the past 8 months. The company’s approved file-sharing tool — a licensed enterprise platform — works but is noticeably slower, requires a separate login for each session, and has a clunkier interface than clients are used to. Three colleagues on her team do the same thing. The files she shares are working documents: meeting agendas, draft deliverables, project timelines. She has made a personal judgment that none of them contains anything confidential.

During a routine IT security review, the practice is flagged. The IT security team points out that the personal Dropbox accounts are outside the company’s data loss prevention monitoring, are not subject to the company’s data retention and litigation hold procedures, and are sharing files with external parties whose data-handling practices are unknown. The project manager says she was only sharing “normal project stuff” and that everyone does it.

Choice AContinue using personal Dropbox with her own judgment about which files are sensitive. The company’s approved tool is genuinely inadequate, and clients prefer the format she’s using. If it were a real problem, IT would have flagged it sooner.

Choice BStop using the personal tool immediately and report the approved tool’s shortcomings to IT — documenting what’s not working, why it creates friction with clients, and what a better solution would look like. Use only the approved tool until IT can assess and address the gap.

Choice CAsk her manager informally if it’s okay — if the manager says it’s fine, she’s covered. The manager’s approval makes it an organizational decision rather than a personal one.

The Right Call

Choice B — Stop using the personal tool and report the approved tool’s shortcomings to IT.

Choice A is the violation regardless of how it feels. Eight months of Shadow IT use doesn’t make it acceptable — it makes it a larger audit finding. Choice C is a common and understandable instinct: if the manager approves it, it becomes legitimate. But a manager without IT security authority cannot authorize use of personal cloud storage for work files — that authorization requires a security assessment the manager is not qualified to conduct. The manager’s informal “that’s fine” is not IT approval and provides no protection. Choice B is the harder short-term path and the one that actually fixes the problem: IT now has a documented case to improve the approved tool, and the employee is no longer carrying personal liability for an unapproved data-handling practice.

“Non-sensitive” is a data classification determination — not a personal judgment call.

Meeting agendas contain attendee names, organizational structures, and project relationships. Draft deliverables contain client business information, financial projections, or strategic plans. Project timelines reveal resourcing, budgets, and competitive positioning. Files that appear routine are often sensitive in ways that require organizational data classification standards to assess properly — standards the employee hasn’t applied and may not be aware of. The self-assessment “it’s just normal project stuff” is not data classification.

The risk of Shadow IT is organizational, not just file-level.

Even if every file shared through personal Dropbox were genuinely non-sensitive, the practice creates organizational risk: the company cannot monitor data leaving the environment, cannot include personal account content in litigation holds, cannot wipe files when the employee leaves, and cannot enforce data retention policies. Those aren’t file-by-file risks. There are structural gaps that exist regardless of what any individual file contains.

“Everyone does it” is the normalization rationalization — and it’s the one that lets Shadow IT spread across entire teams.

Three colleagues on the team do the same thing. That means IT now has four employees with the same finding, eight months of undocumented data handling, and an unknown number of client contacts who have received company files through personal accounts. Normalization within a team doesn’t reduce the organizational risk — it multiplies it.

What is Shadow IT and why is it a compliance concern?

Shadow IT refers to technology systems, tools, software, or cloud services used within an organization without explicit IT approval. It is a compliance concern because unapproved tools fall outside the organization’s data security monitoring, data retention policies, litigation hold procedures, and vendor risk management controls. Shadow IT is one of the most common sources of data breach exposure in organizations — not because the tools are malicious but because the data handled through them is invisible to the organization’s security infrastructure.

Can an employee’s manager authorize use of an unapproved tool?

Generally no — unless the manager has specific IT security authority that extends to tool authorization. Most managers can authorize work activities within their functional scope, but data handling and tool adoption decisions require IT security assessment and approval processes that sit outside managerial authority. A manager’s informal approval provides operational cover but not security authorization — and does not protect the employee or the organization from the data handling risks the unapproved tool creates.

What should an employee do when the approved tool doesn’t meet their legitimate work needs?

Report the gap to IT through the appropriate channel — documenting what isn’t working, what the client or workflow need is, and what an acceptable solution would look like. Continue using the approved tool until IT has assessed and addressed the gap. Shadow IT typically expands because employees find workarounds rather than reporting approved tool inadequacies. The report is the mechanism that drives tool improvement — and it protects the employee from personal liability for data handling practices that the organization hasn’t authorized.

How to Use This Scenario in Training

Recommended for all employees — this scenario is most effective when delivered before a Shadow IT audit rather than after. Most employees are genuinely unaware that their judgment about file sensitivity is not a substitute for organizational data classification. The scenario is also effective at the manager level for building awareness of why informal tool approvals create rather than resolve compliance exposure.

This scenario demonstrates the normalization rationalization from the Decision Readiness Engine™ — “everyone does this” — which allows Shadow IT to spread from one employee to an entire team. Decision-ready employees recognize that common practice is not the same as authorized practice — and that reporting a tool gap is the action that protects both them and the organization.

More Security Awareness Scenarios