As organisations scale and adopt new technologies, Shadow IT is becoming harder to control - introducing hidden risks across data, compliance, and operations. At the same time, Zero Trust is gaining traction as a smarter, more resilient approach to security. In this episode of The Transfer Files, James and Steph are joined by returning guest Dave Hendley, Head of Technical at Pro2col, to explore how these trends intersect and what it means for modern cybersecurity strategies.
Shadow IT is expanding rapidly, driven by unsanctioned file sharing tools, creating hidden and unmanaged data transfer and compliance risks across organisations. At the same time, Zero Trust is becoming a strategic priority across enterprises globally, with CIOs, CISOs, and executive leaders now paying closer attention to cyber risk and operational resilience.
Episode five breaks down why Shadow IT continues to grow, how legacy file transfer methods like FTP amplify risk, and why Zero Trust principles are now essential for securing data flows, supply chains, and third-party relationships.
Watch the full episode below and in case you missed episode four, catch up on the in-depth discussion on the Enterprise Maturity Model for MFT - a practical hands-on framework designed organisations can actually use to assess where they stand today, compare themselves against industry benchmarks, and identify clear, actionable steps for improvement.
Download the Zero Trust Approach for Data Transfer Whitepaper
Download the Zero Trust Approach for Data Transfer whitepaper discussed in this episode to explore how the concepts can be applied in practice to reduce Shadow IT risk and strengthen data security.
Episode Transcript
Welcome to the 5th episode of The Transfer Files, the podcast where we talk all things file transfer, security, automation, supply chain, and more. My name is Steph Johnson, and in this episode, James and I will be joined by returning guest, Dave Hendley, to talk shadow IT, the dangers of it, and how a zero trust approach can secure your setup. It's going to be a good one. Enjoy.
Welcome back, Dave. James, as always, but welcome back to the podcast, Dave. We didn't get you your way. Shadow IT today, because that is, of course, the subject. How are we doing?
Very good. Plenty of caffeine today.
I know. Finally. Thankfully.
How are you?
I'm very well, thank you. I got in a dog walk.
How is Moose?
He's very well, thank you.
Moose is Steph's dog. If the viewers didn't know, slightly famous, slightly famous dog, Moose the Cockapoo, check out Instagram. Right, we probably should move on. It's about shadow IT. Is Moose involved in shadow IT?
We'll get into today's subject, which is, of course, shadow IT. I think it's going to be an interesting one, obviously, from a personal perspective, before working for Pro2col and in my previous jobs, I didn't think twice about how I sent files. I didn't think twice about the security of it. It just kind of went over my head. And obviously now working in the IT and tech space, that has completely changed definitely my view of it. So in terms of where should we start with this, I think a good place would be to understand what shadow IT is. James, I'll come to you for that. What's shadow IT?
Oh, I thought I was going to slippy shoulder this one to Dave.
I'm happy to take it on.
Go on, Dave.
I mean, it's not just about MFT. when it comes to shadow IT. Basically, to put it in a nutshell, it's software and technology used by a company that hasn't been signed off, that hasn't been approved, that hasn't necessarily gone through that vetting process to make sure it's secure, supported. And so many pieces of software out there can come bundled with things like spyware, malware that can, in effect, compromise the security of your network systems. And your data, most importantly.
And in terms of the most common shadow IT tools, I mean, in my past experience, I've used things like WeTransfer. Is that a bad one? I don't use it now. I don't use it at Pro2col. Thank God.
I should hope not. It serves a purpose and it, you know, if you're a marketer and you're sending brand assets around and we're not talking about Nikes brand assets, then using WeTransfer could be quite appropriate. But Yeah, it's certainly shadow IT and it certainly would be frowned upon if you're sending personal medical data using WeTransfer.
So one thing we've seen recently, WhatsApp. That's something that we see recently. WhatsApp, it's really easy for a team to utilise WhatsApp via like a web browser, for example. So that's probably a massive, massive one that's seen very frequently as part of Shadow IT.
Do you know I hadn't thought about that.
Yeah, you know, copying and pasting data accidentally into WhatsApp on a web browser, right? AI, yeah, AI, things like that. So AI is a massive, massive part of Shadow IT these days. People typing in information into these sort of ChatGPT or Copilot or something like that, they're getting for free. I think it's very, very, very wise to think if you are not paying for the product, you are the product. I think that's a pretty well-known phrase there. So, yeah, that's dangerous of it.
It comes back to that example I used in a previous episode about Dropbox, where, as I mentioned, an internationally renowned publisher based in London, very, very much in the economy space, shall we say, and there are 8 terabytes of data that were proliferating the whole of the Dropbox network, but weren't paid for accounts. Therefore, Dropbox owned the data. They were the customer. So yeah, crazy. Interestingly, not wanting to go down that WhatsApp route too far, but WhatsApp's now got AI plugged into it.
I feel like everything is getting AI plugged into it.
Yeah, it's reading all of your messages now. So yeah. Interesting.
In the MFT space, I think FileZilla is on a lot of systems out there. FileZilla is being used to transfer files or to run tests with partners, things like that. WinSCP, you know, there's so many, so many ways in which people are utilising these tools to share sensitive information. And it's totally unrecorded, totally goes under the radar to the people that actually make the decisions about network security and data security within a company.
Interesting. Going back to your point as well about that WhatsApp and how AI is built in, it also suggests the responses that you should go back with. I'm slightly concerned of what's going to happen to the human brain.
But you can't even Google these days without getting an AI answer, can you?
Like, yeah, creativity is, yeah, I'm concerned for it. So, Dropbox, that's probably considered a shadow IT tool.
Hundred percent, yeah.
Unless it's been approved.
Yeah, that's a different matter.
What about something like FileZilla?
Yeah, as Dave mentioned, client and server. Well, server, not so, but client, anybody can download a piece of software and run it from their laptop. If you know the correct security processes aren't in place to stop and restrict. I use a Mac, so probably cyber or something else. An alternative FDP client.
I think IT departments are probably one of the biggest issues in companies when it comes to shadow IT as well, because too often, they'll have maybe slightly more access to run these tools on their systems. They'll have administrator accounts, things like that. They go, I'll quickly whack this tool on there because Something like Notepad Plus Plus or something like that, just an enhanced version of Notepad that they find much easier to do logs with, for example. Yeah, they'll have the ability to do that, but not the rest of their company, maybe.
So what kind of dangers are we looking at?
I think, well, Dave alluded to it from a file transfer perspective, you have no visibility of what's going in and out of your organisation. And then how long is a piece of string in terms of the danger? If you don't know who is sending what, to whom, when, then you're in a world of pain. It could be financial results. So let's say you're a publicly traded company. It could well be that somebody in a finance function is sending the financial results of the organisation out to another person, nefariously or otherwise, which are going to affect the stock prices in the future. which would then be deemed insider trading, all sorts of pain that would come along with that. And that's just one example.
ISO is probably another really good one as well. You know, we've had particularly, in our past, particularly, should we say, comprehensive ISO auditors come to us. We have our approved software list, right? And we also have software in our company that will alert us of any software that has been newly installed onto devices. However, if we were to fail that and the order to see that we've got software installed that we haven't approved on one, two, three devices, well, we're not managing our approvals properly. We're not, we're giving people too much access to their systems that could cause a breach, could cause a data loss. And therefore, it could cost us our accreditation and our customers, right, that we have to have that accreditation for. And that's true to say probably for Most businesses out there these days, I think a lot of the large enterprises, they have to have ISO 27001 to trade with their partners.
It's about securing that supply chain message again, making sure that the people that you're working with take security, cyber security as seriously as they do. So yeah, it's quite a serious position.
Have you seen where customers have come to you with a basic FTP deployment, for example? their use case has grown, but they've never ripped out their FTP deployment. So actually, have they then got a case on their hands that's posing a serious risk?
It all depends on how much that FTP solution has been vetted by a member of the team that can verify its security. For example, you know, I think FileZilla actually had a fairly major Major issue recently with an infiltration of vulnerability that was found. So it's about making sure that FTP solution is regularly monitored, controlled by the team. But yes, it is the short answer to that. We find that people come to us and they'll get this MFT solution, which does everything that they need to. And it's audited logging. We've got all of the right security in place. But they still try and utilise the shadow IT, right? It's the path of least resistance for a lot of people. And they're always going to take it. They always take that path. So it's about the teams, them internally controlling what access people have to their systems to be able to utilise these pieces of software that are run unsupported.
And to give that a different twist, you know, it's very easy, certainly for us internally to manage what software can be installed, that's a given. It's then what systems are you able to access on the internet that you may well be able to make use of for nefarious activities or otherwise, just trying to do your job. So we transfer would be one of those URLs or IP ranges that you would block, potentially Dropbox the same, and others that exist online. Challenge there is that It might not be quite so easy to know what all of those tools are. And it could also be potentially a situation where somebody could spin something up on their own servers that they could connect to and just push data out to. So it's a big old challenge. Try to stay ahead of the curve.
I saw just this weekend a customer needed to get access to, needed to download a file to one of their servers, their company servers. Their servers didn't have access to the internet, not full access to the internet. It was blocking a lot of HTTPS traffic or scanning a lot of the HTTPS traffic. So he downloaded the file to his home server and then SSH into his home server. Just opened the ports to that right. This is what we're talking about when it says shadow IT. What else has he got on that server? He could just pull into the systems. So yeah.
As you say, it's a big risk. And I guess to combat it, there is a term that I have been hearing a lot about lately, and that is zero trust. And not just because I have been working closely with your team on a white paper.
You've been speaking to my wife. That's another podcast.
But zero trust. And I, again, open to who wants to take this, but can you tell me what is zero trust?
I guess in broadest terms, zero trust is taking a position literally of zero trust. You want to be in a position where you don't trust anybody or anything, and you want to, certainly from a file transfer point of view, you want to start with the basics that are wanting to know exactly who you're transferring files with, For what purpose? Where are they located? What are the business processes? And there are lots of different features that are contained within the software that can continue to lock it down and lock it down and lock it down even further.
I was going to say that brings me to my next question in terms of file transfer and a solution. What does that look like when you're setting up a solution? Is it kind of the encryption, the HA, the logging, the monitoring? All that kind of thing.
Not the HA, but I think if you were to, I guess in terms of industries that really take this to the nth degree, probably look at banking.
Financial, definitely.
Yeah.
Medical.
Yeah. So you would consider locking down the IP addresses you're delivering to. That's an easy one. Or accepting incoming connections from. You might even go so far as to create a VPN between you and them. But we also have customers, both historical and current, that will have a leased line. So a private internet connection between the two companies to be able to move data over. And at that point, you are off the internet. You remove all, almost pretty much without exception, all opportunities for somebody to sort of hack into your systems. We'd be here all day talking about all of the specific features.
Centralised authentication, right? That's a big one. Audit, audit logging, tamper-proof databases and audit logging, I think is another huge one. You've just got at the end of the day, look at if the worst were to happen, how would we prevent it, first of all, but also how would we be able to report it to an authority of some sort, right? So that's where the logging and monitoring comes in.
Yeah. And like you say, we could be here all day. You could do a lot.
We could do that. Keeps me out of the office.
Yeah, I mean, there's a lot of features, and I guess there's a there's a segue to the case study, isn't there? It's the case study, the white paper that we're that we're producing.
Well, we would have produced, it's it will be out. Yeah, the white paper is out.
I've read it 10 times.
You can do a shameless plug if you want.
Shameless plug. Please download the white paper.
We will put a link in the description to download that Zero Trust white paper.
Yeah, and just to put that into some context, though, it will give, I guess, probably the right person would be an enterprise architect that would want to really look at this. And so this makes the assumption that somebody has one of these tools in place. And they might be in a highly regulated industry or they might just be conscious that they've got very sensitive data that's traversing their systems to their suppliers or in their supply chain. And really it just gives them, in a similar way you're looking at the maturity model that we also have, this gives them a way to ratchet up the security levels for the system that they've got. Not a maturity of the solution, but really like really tying down how that supply chain is secured, how their specific system is secured so they aren't the weakest link in the supply chain. Definitely a good read.
Those peripheral technologies included in that white paper as well. It's how the MFT is getting out to the outside world or used internally.
Nice. That leads me to my final question, which is someone watching or listening to this and they're concerned about shadow IT in their organisation and looking to adopt a zero trust approach and start making actions, what would be your one key piece of advice for them to take away from today?
Read the white paper. I was thinking that.
Well, no, I was hoping that Dave would come up with that.
Happy to start it.
Go for it, go for it.
I'd say look at your, basically do an audit of your data and how you are authenticating users with that access to that data. say your user groups, for example, that you utilise to manage access to that data. That would be my one thing. Audit your data and the people that can access it.
Anything to add?
I would be saying, from the point of view of the context of file transfer, given that this is a file transfer blog, I would...
It's a podcast, not a blog.
Given the given this the file transfer podcast, got it right that time. I'd be looking through, I'd be speaking to the network administrative people that are responsible for the firewalls going, guys, what are people connecting to that is external to this organisation that might be X, Y, or Z for shifting data in and out into and out of a business? Most firewalls these days are going to be able to classify the different types of shadow IT types. tools that are available on the internet that people can connect to. So a lot of that will be locked down anyway, but I guess it's a conversation to have with your network security would be my starting point.
And mine would be, don't wait for an incident before making this a priority, because by then it's too late.
Sound advice there, Steph. Sound advice.
Join the technical team, practically.
Maybe. Baby steps, baby steps. So that is my, that's all I have for today. Unless you have anything else, we can wrap up episode 5. And as always, a very big thank you to our audience for tuning in. We hope you enjoyed today's discussion. As always, if you have questions or would like to speak to our team, we'll make sure to leave our contact details below. And there is a link to the security white paper as well. Thank you very much and we'll see you in the next episode.
Compare MFT Solutions
Further Reading: