“Send it via WeTransfer.”
“I uploaded the files to Dropbox.”
“I'll use FileZilla.”
We’ve all been there, right? Tools like WeTransfer, Dropbox and FileZilla have made a name for themselves globally. Why? They’re popular, easy to use and get the job done. Crucially they are also familiar. Most members of staff will not only be familiar with them but may use them in their personal life.
But while convenient, they’re also one of the biggest standout examples of Shadow IT in the workplace - and that’s a serious problem for any organisation, of any size, that takes data security, compliance, and control seriously.
What is Shadow IT?
Shadow IT refers to the use of any information technology system, software, hardware, or application on an enterprise network without the approval or knowledge of the businesses IT department.
Often, it stems from good intentions – an employee needs to send a large file, and if official company tools are clunky, limited, or slow, they’ll find their own workaround. And that's exactly when tools like WeTransfer, Dropbox, and FileZilla come into play. They’re free, user-friendly and fast. But the truth is, as soon as someone uses tools outside approved internal channels, you’ve lost visibility, control and governance of your data.
So, what does that really mean for your organisation?
Let’s break it down.
WeTransfer, Dropbox and FileZilla
WeTransfer has been a familiar name in file sharing since its launch in 2009. It’s a platform that’s loved for its “no login required” approach and it’s simple functionality of drag, drop, and send. But from an IT and compliance perspective, that convenience is exactly the problem.
Files can be sent to anyone, stored on unknown servers, and downloaded multiple times with no audit trail, no access controls, or the ability to revoke a transfer. There’s no end-to-end encryption and no way for IT teams to monitor or manage what’s being shared. For industries bound by strict government regulations, like GDPR, HIPAA, or financial compliance mandates (DORA, SOX2), it’s a ticking time bomb.
Much like WeTransfer, Dropbox is a popular tool for its simplicity. It was originally built in 2007 as a personal cloud storage solution for individuals. Then teams starting using it, soon followed by entire departments.
Yes, Dropbox offers business versions, but many employees often default to using a personal account to store and share work files, which don’t fall under corporate governance. Essentially, this means your sensitive data may end up sitting in a personal cloud account with no oversight, no DLP policies, and no ability for IT to monitor or audit what's being stored. What’s worse is those shared links can easily be forwarded to external users. Folders can be synced across multiple devices - often unencrypted - making data exfiltration effortless and undetectable.
Dropbox has made strides with its Dropbox Business, but unless it's deployed and managed centrally by IT, it quickly becomes another form of shadow IT. And in many cases, companies aren’t even aware it’s being used.
While Dropbox highlights the risks of unmanaged cloud storage, Shadow IT also hides in more traditional corners of file sharing, like FTP clients. One of the most widely used free FTP tools is FileZilla. Though it’s been a staple for transferring files for years, its use outside secure, monitored environments introduces a whole different set of risks.
And the issue with FileZilla isn’t just the tool itself; it’s how it's used. FTP is inherently insecure. Without proper configuration, files transferred over FTP can be sent in plaintext, making them vulnerable to interception. This means if a device is lost, stolen, or compromised, attackers can easily access stored server passwords, potentially gaining unauthorised access to systems.
There’s typically no centralised monitoring or audit trail for what files are transferred, who accessed which servers, or whether transfers meet compliance requirements. This lack of oversight and insecurity means FileZilla, when used unmanaged, becomes a classic example of Shadow IT.
While FileZilla may be fine for personal use or testing in dev environments, it’s not suitable for enterprise-level, compliance-bound file transfers.
What ties WeTransfer, Dropbox, and FileZilla together is their ease of use and lack of governance. They’re not inherently bad tools, in fact, they’re great at what they were designed for. But they were never built for secure, compliant, auditable enterprise file transfers.
When employees use these tools without IT’s knowledge, the business and its data is being exposed to significant risks. These include potential data breaches from cybercriminals, hackers and bad actors, compliance violations, and loss of intellectual property. In turn, these risks carry serious consequences: costly fines, damaged reputations, and operational disruptions that could have been prevented with proper controls.
WeTransfer Controversy
In 2024, WeTransfer was acquired by Bending Spoons, a company known for aggressively acquiring tech firms, often laying off development teams and prioritising short-term profits over long-term investment in security or product innovation. The acquisition has sparked mixed reactions, and the long-term impact remains to be seen. However WeTransfer has been making headlines recently following a recent announcement on 1st July, having updated their terms of service with the following clause:
“You hereby grant us a perpetual, worldwide, non-exclusive, royalty-free, transferable, sub-licensable license to use your Content for the purposes of operating, developing, commercializing, and improving the Service or new technologies or services, including to improve performance of machine learning models that enhance our content moderation process in accordance with the Privacy & Cooking Policy.”
This suggested that user content shared via WeTransfer could be used to train AI models. After widespread concern around the safety of files, WeTransfer issued a second statement on 17th July clarifying they currently do not use machine learning or AI to process shared content. However, they admitted the feature had been under consideration for future development - which leaves the door wide open for potential changes down the line.
A closer look at their privacy practices reveals further red flags:
- WeTransfer claims not to sell or rent personal data, but it does share information with service providers.
- Personal information is retained for up to 12 months, after which it is anonymised or pseudonymised - but metadata may still be used for analytics or performance evaluation.
- Download links aren’t password-protected. Anyone with the link can access your files.
- WeTransfer only encrypts data in transit and at rest - not end-to-end encryption. They cannot control or prevent interception once the link is shared with a third party
Despite the quick clarification from WeTransfer the suspicion remains that ownership of users work or content isn’t sacrosanct to the WeTransfer owners. It’s a common refrain around free tools or services provided online – if the service is free your data is what is paying to keep the service running… and with WeTransfer that suspicion is growing.
So, What’s the Alternative?
The solution isn’t banning tools, it’s offering secure, user-friendly alternatives. Managed File Transfer (MFT) platforms were built for this very reason. Secure MFT software solutions are designed to combine the ease and speed users expect with the security, visibility, and compliance controls IT demands. With an MFT solution, organisations get:
- End-to-end encryption
- Role-based access and permission controls
- Comprehensive audit trails and reporting
- Centralised management
- Automation and integration capabilities
Most enterprise-ready MFT tools also come with email modules that allow users to easily share files using their usual email solution – ensuring easy adoption and a seamless uptake.
By implementing an MFT platform, businesses can eliminate the risk of Shadow IT posed by unmanaged tools like WeTransfer, Dropbox, and FileZilla, without sacrificing the convenience that employees rely on.
CEOs, CISOs, IT leaders, and teams need to be aware Shadow IT is a growing threat. It doesn’t often start with malice. It starts with a deadline, a tight budget, or a quick fix. Tools like WeTransfer, Dropbox, and FileZilla might seem the obvious choice at the time, but when used outside IT’s control, they become security liabilities. So next time someone says, “I’ll send it via WeTransfer”, ask yourself – is it worth the risk?
Pro2col’s expert consultants can help you take control with an enterprise-grade Managed File Transfer solution tailored to your organisation’s needs. Whether you’re looking to secure sensitive data, streamline workflows, or explore features like email plugins and audit trails, we’ll show you exactly how it all works. Book a personalised demo today to see the difference a secure, compliant, and fully supported MFT platform can make.
|
About the Author |
|
|
As Marketing Manager, Steph is passionate about all things Marketing and is continuously looking to broaden her knowledge in the industry, learn from experts and keep up to date with the latest trends. Steph is a creative and committed member of the marketing team and isn’t afraid of a new challenge. Beyond the office, Steph is an avid adventurer, often exploring somewhere new with her dog and enjoys documenting her trips on her travel blog. |
